bug#46634: [PATCH] gnu: node: Update to 10.23.3. [security fixes]

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#46634: [PATCH] gnu: node: Update to 10.23.3. [security fixes]

From:	Jelle Licht
Subject:	bug#46634: [PATCH] gnu: node: Update to 10.23.3. [security fixes]
Date:	Wed, 24 Feb 2021 10:38:34 +0100

Jonathan Brielmaier <jonathan.brielmaier@web.de> writes:

> On 19.02.21 12:02, Jelle Licht wrote:
>> Hey Guix,
>>
>> The attached two patches together should address CVE-2020-8287 (in
>> Node). I am kind of fuzzy on the details, but to me it seems that the
>> vulnerability is actually in http-parser (and llhttp), not node. I
>> informed upstream about my findings, but in the mean time we should
>> probably apply these.
>>
>> The node package subsequently has a regression test to demonstrate that
>> the applied fix works. Nonetheless, http-parser has quite some
>> dependents, and I only verified everything to still work with node.
>>
>>   - Jelle
>
> Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
> so as well for the next ESR branch of icecat and icedove...

Good to know, I wouldn't want to block any other ongoing packaging efforts:

I pushed the patches to master, with the security fix at 66fa2d318a.
 - Jelle

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes], Jelle Licht, 2021/02/19
- [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes], Jonathan Brielmaier, 2021/02/23
  - bug#46634: [PATCH] gnu: node: Update to 10.23.3. [security fixes], Jelle Licht <=

Prev by Date: [bug#46266] [PATCH] gnu: Update bitcoin-core to 0.21.0
Next by Date: [bug#44492] [PATCH 01/52] gnu: Add rust-ruma-identifiers-validation-0.1.
Previous by thread: [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes]
Next by thread: [bug#46637] gnu: Add obs-websocket.
Index(es):
- Date
- Thread