I can do it but I do not know that is the best: - let 1.6 go to unstable - patch old version
Could you ask release team. The debdiff between the two version is so small that I have doubt On Sat, May 27, 2017 at 6:53 PM, Ross Gammon <ros...@ubuntu.com> wrote: > Hi Bastien, > > If you would like me to prepare an upload to unstable for this (& unblock > request), let me know. I have some time today & tomorrow - but travelling > with work next week. I have DM upload rights for it. > > Only asking in case you are already working on it. > > Cheers, > > Ross > > > On 05/27/2017 04:51 PM, Bastien ROUCARIÈS wrote: > > Package: node-concat-stream > Version: 1.5.1-1 > Severity: grave > Tags: patch security fixed-upstream fixed-in-experimental > X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org > forwarded: https://snyk.io/vuln/npm:concat-stream:20160901 > > Overview > > concat-stream is writable stream that concatenates strings or binary data > and > calls a callback with the result. Affected versions of the package are > vulnerable to Uninitialized Memory Exposure. > > A possible memory disclosure vulnerability exists when a value of type > number > is provided to the stringConcat() method and results in concatination of > uninitialized memory to the stream collection. > > This is a result of unobstructed use of the Buffer constructor, whose > insecure > default constructor increases the odds of memory leakage. > > > >
