Control: tags -1 - moreinfo
On 28/05/2022 20:53, Adam D. Barratt wrote:
Control: tags -1 + moreinfo
On Fri, 2022-05-20 at 09:47 +0200, Yadd wrote:
node-raw-body embeds a patch that creates a Denial-of-Service
vulnerability into node-express.
[ Impact ]
Security issue, a simple request can crash any express application
[ Tests ]
I added a test that proves that bug is fixed: it fails with
node-raw-body 2.4.1-2 and succeeds with 2.4.1-2+deb11u1
[ Risks ]
No risk, Debian package is now exactly what upstream wrote.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Drop patch which replaced node-iconv-lite by node-iconv.
Why was that change made in the first place? The changelog entry from
2014 isn't particularly helpful.
Hi Adam,
node-iconv-lite entered in Debian only in 2016. That's why this patch
existed.
Cheers,
Yadd
