Le ven. 16 mai 2025 à 08:00, Salvatore Bonaccorso <car...@debian.org> a écrit :
> Hi Jeremy, > > On Thu, May 15, 2025 at 10:50:34PM +0200, Jérémy Lal wrote: > > Also https://nodejs.org/en/blog/release/v20.19.2/ > > mentions > > CVE-2024-27982 http: do not allow OBS fold in headers by default > > Question on this one, this was already fixed in v18.20.1 and we did > got the fix included in 18.20.1+dfsg-1 correct? Did we lost the fix > afterwards? > Yes, the fix was applied April 2, 2024 on the 18.x branch. No, it wasn't lost. Do we likely have other such problems (maybe from the april 2024 > release CVEs)? > This looks more likely to be badly generated changelog, because https://github.com/nodejs/node/commits/v20.x/deps/llhttp shows that the patch has been applied to branch 20.x in april 2024, then in the same minute after llhttp update the patch is reapplied, so there's no mistake. So CVE-2024-27982 has always stayed fixed, and we can forget about it. Jérémy
