<div dir="ltr">Also note that debian/trixie will have a version of nodejs that uses even more external dependencies,<div>with a source tarball excluding the externalized dependencies, which will make the process of doing security uploads easier for everyone.</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Le ven. 7 févr. 2025 à 11:59, Jérémy Lal <<a href="mailto:kapouer@melix.org">kapouer@melix.org</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Security uploads take a lot of work to ensure all reverse (build-)dependencies of a package build and pass their test suite successfully.<div>For that last upload, I in particular, lost track of time.</div><div>To help me, one can redo those verifications, and then, once several packages failing to rebuild have been identified,</div><div>they must be fixed, proposed to bookworm, and once they are all accepted, that version of nodejs can be proposed to bookworm too.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le ven. 7 févr. 2025 à 11:04, Naaz, Syeda Shagufta <<a href="mailto:syedashagufta.naaz@siemens.com" target="_blank">syedashagufta.naaz@siemens.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="EN-IN">
<div>
<p class="MsoNormal">Package: nodejs<u></u><u></u></p>
<p class="MsoNormal">Version: 18.19.0+dfsg-6~deb12u2<u></u><u></u></p>
<p class="MsoNormal">Severity: critical<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Dear Debian Community,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">We are currently working with the <a href="https://packages.debian.org/bookworm/nodejs" target="_blank">
Debian Bookworm</a> 12.9 release for our project and observed that the nodejs version is
<b>18.19.0+dfsg-6~deb12u2</b>. <b><u></u><u></u></b></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">However, upon reviewing the <a href="https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads" target="_blank">
salsa-debian/bookworm</a> branch, we noticed that version <b>18.20.4+dfsg-1~deb12u1
</b>is available, which includes fixes for multiple CVE issues, such as, <u></u><u></u></p>
<ul style="margin-top:0cm" type="disc">
<li style="margin-left:0cm"><a href="https://security-tracker.debian.org/tracker/CVE-2024-27983" target="_blank">CVE-2024-27983</a> (<b>8.2 HIGH</b>)<u></u><u></u></li><li style="margin-left:0cm"><a href="https://security-tracker.debian.org/tracker/CVE-2024-21892" target="_blank">CVE-2024-21892</a> (<b>7.5 HIGH</b>)<u></u><u></u></li><li style="margin-left:0cm"><a href="https://security-tracker.debian.org/tracker/CVE-2024-22019" target="_blank">CVE-2024-22019</a> (<b>7.5 HIGH</b>)
<u></u><u></u></li></ul>
<p class="MsoNormal">These fixes are not included in the current Bookworm release. Having the severity of some of these vulnerabilities as High, we are eager for these fixes to be available.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Could you please help clarify why there is a discrepancy between the version in the Bookworm release and the one on salsa? Is there a any specific reason for the delay and, is there any fixed timeline for resolving this?
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I appreciate your time and guidance on this matter.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Best Regards,<u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Times New Roman",serif;color:black">Syeda Shagufta Naaz<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt;font-family:"Times New Roman",serif;color:black">Senior Software Developer<u></u><u></u></span></p>
<p class="MsoNormal"><b><span lang="FR" style="font-family:Calibri,sans-serif;color:teal">SIEMENS</span></b><span lang="FR" style="font-family:Calibri,sans-serif;color:black"> </span><b><span lang="EN-US" style="font-size:10pt;font-family:Calibri,sans-serif;color:rgb(1,95,191)">FT
FDS (Foundational Services)</span></b><span lang="EN-US"><u></u><u></u></span></p>
</div>
</div>
</div></blockquote></div>
</blockquote></div>