[PATCH] gnu: node: Update to 10.23.3. [security fixes]

  • Done
  • quality assurance status badge
Details
2 participants
  • Jelle Licht
  • Jonathan Brielmaier
Owner
unassigned
Submitted by
Jelle Licht
Severity
normal

Debbugs page

Jelle Licht wrote 4 years ago
(address . guix-patches@gnu.org)
86czww5nhl.fsf@fsfe.org
Hey Guix,

The attached two patches together should address CVE-2020-8287 (in
Node). I am kind of fuzzy on the details, but to me it seems that the
vulnerability is actually in http-parser (and llhttp), not node. I
informed upstream about my findings, but in the mean time we should
probably apply these.

The node package subsequently has a regression test to demonstrate that
the applied fix works. Nonetheless, http-parser has quite some
dependents, and I only verified everything to still work with node.

- Jelle
Attachment: 0001-gnu-http-parser-Update-to-2.9.4-1.ec8b5ee-fixes-CVE-.patch
From 44f5b6f6ee7ffbec1c38d52ac8356b3f5a252e61 Mon Sep 17 00:00:00 2001
From: Jelle Licht <jlicht@fsfe.org>
Date: Wed, 17 Feb 2021 00:06:04 +0100
Subject: [PATCH] gnu: node: Update to 10.23.3.

* gnu/packages/node.scm (node): Update to 10.23.3.
---
gnu/packages/node.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm
index 77c47ec71f..051c4c3b41 100644
--- a/gnu/packages/node.scm
+++ b/gnu/packages/node.scm
@@ -50,14 +50,14 @@
(define-public node
(package
(name "node")
- (version "10.22.1")
+ (version "10.23.3")
(source (origin
(method url-fetch)
(uri (string-append "https://nodejs.org/dist/v" version
"/node-v" version ".tar.xz"))
(sha256
(base32
- "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl"))
+ "13za06bz17k71gcxyrx41l2j8al1kr3j627b8m7kqrf3l7rdfnsi"))
(modules '((guix build utils)))
(snippet
`(begin
--
2.30.1
Jonathan Brielmaier wrote 4 years ago
9a584e1f-4f43-57f6-61ae-4de39c8e8015@web.de
On 19.02.21 12:02, Jelle Licht wrote:
Toggle quote (14 lines)
> Hey Guix,
>
> The attached two patches together should address CVE-2020-8287 (in
> Node). I am kind of fuzzy on the details, but to me it seems that the
> vulnerability is actually in http-parser (and llhttp), not node. I
> informed upstream about my findings, but in the mean time we should
> probably apply these.
>
> The node package subsequently has a regression test to demonstrate that
> the applied fix works. Nonetheless, http-parser has quite some
> dependents, and I only verified everything to still work with node.
>
> - Jelle

Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
so as well for the next ESR branch of icecat and icedove...
Jelle Licht wrote 4 years ago
86v9ahkdph.fsf@fsfe.org
Jonathan Brielmaier <jonathan.brielmaier@web.de> writes:

Toggle quote (18 lines)
> On 19.02.21 12:02, Jelle Licht wrote:
>> Hey Guix,
>>
>> The attached two patches together should address CVE-2020-8287 (in
>> Node). I am kind of fuzzy on the details, but to me it seems that the
>> vulnerability is actually in http-parser (and llhttp), not node. I
>> informed upstream about my findings, but in the mean time we should
>> probably apply these.
>>
>> The node package subsequently has a regression test to demonstrate that
>> the applied fix works. Nonetheless, http-parser has quite some
>> dependents, and I only verified everything to still work with node.
>>
>> - Jelle
>
> Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
> so as well for the next ESR branch of icecat and icedove...

Good to know, I wouldn't want to block any other ongoing packaging efforts:

I pushed the patches to master, with the security fix at 66fa2d318a.
- Jelle
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 46634@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 46634
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help