diff mbox series

[bug#46634] gnu: node: Update to 10.23.3. [security fixes]

Message ID 86czww5nhl.fsf@fsfe.org
State Accepted
Headers show
Series [bug#46634] gnu: node: Update to 10.23.3. [security fixes] | expand

Checks

Context Check Description
cbaines/submitting builds success
cbaines/comparison success View comparision
cbaines/git branch success View Git branch
cbaines/applying patch fail View Laminar job
cbaines/issue success View issue

Commit Message

Jelle Licht Feb. 19, 2021, 11:02 a.m. UTC 
Hey Guix,

The attached two patches together should address CVE-2020-8287 (in
Node). I am kind of fuzzy on the details, but to me it seems that the
vulnerability is actually in http-parser (and llhttp), not node. I
informed upstream about my findings, but in the mean time we should
probably apply these.

The node package subsequently has a regression test to demonstrate that
the applied fix works. Nonetheless, http-parser has quite some
dependents, and I only verified everything to still work with node.

 - Jelle

Comments

Jonathan Brielmaier Feb. 23, 2021, 7:29 p.m. UTC | #1 
On 19.02.21 12:02, Jelle Licht wrote:
> Hey Guix,
>
> The attached two patches together should address CVE-2020-8287 (in
> Node). I am kind of fuzzy on the details, but to me it seems that the
> vulnerability is actually in http-parser (and llhttp), not node. I
> informed upstream about my findings, but in the mean time we should
> probably apply these.
>
> The node package subsequently has a regression test to demonstrate that
> the applied fix works. Nonetheless, http-parser has quite some
> dependents, and I only verified everything to still work with node.
>
>   - Jelle

Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
so as well for the next ESR branch of icecat and icedove...
Jelle Licht Feb. 24, 2021, 9:38 a.m. UTC | #2 
Jonathan Brielmaier <jonathan.brielmaier@web.de> writes:

> On 19.02.21 12:02, Jelle Licht wrote:
>> Hey Guix,
>>
>> The attached two patches together should address CVE-2020-8287 (in
>> Node). I am kind of fuzzy on the details, but to me it seems that the
>> vulnerability is actually in http-parser (and llhttp), not node. I
>> informed upstream about my findings, but in the mean time we should
>> probably apply these.
>>
>> The node package subsequently has a regression test to demonstrate that
>> the applied fix works. Nonetheless, http-parser has quite some
>> dependents, and I only verified everything to still work with node.
>>
>>   - Jelle
>
> Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
> so as well for the next ESR branch of icecat and icedove...

Good to know, I wouldn't want to block any other ongoing packaging efforts:

I pushed the patches to master, with the security fix at 66fa2d318a.
 - Jelle
diff mbox series

Patch

From 44f5b6f6ee7ffbec1c38d52ac8356b3f5a252e61 Mon Sep 17 00:00:00 2001
From: Jelle Licht <jlicht@fsfe.org>
Date: Wed, 17 Feb 2021 00:06:04 +0100
Subject: [PATCH] gnu: node: Update to 10.23.3.

* gnu/packages/node.scm (node): Update to 10.23.3.
---
 gnu/packages/node.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm
index 77c47ec71f..051c4c3b41 100644
--- a/gnu/packages/node.scm
+++ b/gnu/packages/node.scm
@@ -50,14 +50,14 @@ 
 (define-public node
   (package
     (name "node")
-    (version "10.22.1")
+    (version "10.23.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://nodejs.org/dist/v" version
                                   "/node-v" version ".tar.xz"))
               (sha256
                (base32
-                "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl"))
+                "13za06bz17k71gcxyrx41l2j8al1kr3j627b8m7kqrf3l7rdfnsi"))
               (modules '((guix build utils)))
               (snippet
                `(begin
-- 
2.30.1