Message ID | 86czww5nhl.fsf@fsfe.org |
---|---|
State | Accepted |
Headers | show |
Series | [bug#46634] gnu: node: Update to 10.23.3. [security fixes] | expand |
Context | Check | Description |
---|---|---|
cbaines/submitting builds | success | |
cbaines/comparison | success | View comparision |
cbaines/git branch | success | View Git branch |
cbaines/applying patch | fail | View Laminar job |
cbaines/issue | success | View issue |
On 19.02.21 12:02, Jelle Licht wrote: > Hey Guix, > > The attached two patches together should address CVE-2020-8287 (in > Node). I am kind of fuzzy on the details, but to me it seems that the > vulnerability is actually in http-parser (and llhttp), not node. I > informed upstream about my findings, but in the mean time we should > probably apply these. > > The node package subsequently has a regression test to demonstrate that > the applied fix works. Nonetheless, http-parser has quite some > dependents, and I only verified everything to still work with node. > > - Jelle Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0 so as well for the next ESR branch of icecat and icedove...
Jonathan Brielmaier <jonathan.brielmaier@web.de> writes: > On 19.02.21 12:02, Jelle Licht wrote: >> Hey Guix, >> >> The attached two patches together should address CVE-2020-8287 (in >> Node). I am kind of fuzzy on the details, but to me it seems that the >> vulnerability is actually in http-parser (and llhttp), not node. I >> informed upstream about my findings, but in the mean time we should >> probably apply these. >> >> The node package subsequently has a regression test to demonstrate that >> the applied fix works. Nonetheless, http-parser has quite some >> dependents, and I only verified everything to still work with node. >> >> - Jelle > > Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0 > so as well for the next ESR branch of icecat and icedove... Good to know, I wouldn't want to block any other ongoing packaging efforts: I pushed the patches to master, with the security fix at 66fa2d318a. - Jelle
From 44f5b6f6ee7ffbec1c38d52ac8356b3f5a252e61 Mon Sep 17 00:00:00 2001 From: Jelle Licht <jlicht@fsfe.org> Date: Wed, 17 Feb 2021 00:06:04 +0100 Subject: [PATCH] gnu: node: Update to 10.23.3. * gnu/packages/node.scm (node): Update to 10.23.3. --- gnu/packages/node.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm index 77c47ec71f..051c4c3b41 100644 --- a/gnu/packages/node.scm +++ b/gnu/packages/node.scm @@ -50,14 +50,14 @@ (define-public node (package (name "node") - (version "10.22.1") + (version "10.23.3") (source (origin (method url-fetch) (uri (string-append "https://nodejs.org/dist/v" version "/node-v" version ".tar.xz")) (sha256 (base32 - "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl")) + "13za06bz17k71gcxyrx41l2j8al1kr3j627b8m7kqrf3l7rdfnsi")) (modules '((guix build utils))) (snippet `(begin -- 2.30.1