[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590

Salvatore Bonaccorso carnil at debian.org
Thu Dec 21 05:43:35 GMT 2023


Hi,

[CC'ing node-undici uploader]

On Wed, Dec 20, 2023 at 09:12:36PM +0100, J??r??my Lal wrote:
> Le mer. 19 juil. 2023 ?? 21:51, J??r??my Lal <kapouer at melix.org> a ??crit :
> 
> >
> >
> > Le mer. 19 juil. 2023 ?? 14:18, Moritz M??hlenhoff <jmm at inutil.org> a
> > ??crit :
> >
> >> Am Fri, Jun 30, 2023 at 08:12:37PM +0200 schrieb J??r??my Lal:
> >> > Hi,
> >> >
> >> > Le ven. 30 juin 2023 ?? 19:21, Salvatore Bonaccorso <carnil at debian.org>
> >> a
> >> > ??crit :
> >> >
> >> > > Source: nodejs
> >> > > Version: 18.13.0+dfsg1-1
> >> > > Severity: important
> >> > > Tags: security upstream
> >> > > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <
> >> > > team at security.debian.org>
> >> > >
> >> > > Hi,
> >> > >
> >> > > The following vulnerabilities were published for nodejs.
> >> > >
> >> > > CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and
> >> > > CVE-2023-30590[3].
> >> > >
> >> > >
> >> > > If you fix the vulnerabilities please also make sure to include the
> >> > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> >> > >
> >> >
> >> > It would be interesting to know if we adopt the same plan we had with
> >> > security team:
> >> > full upstream updates in the same branch, 18.x here.
> >>
> >> Ack, let's do that. Could you prepare bookworm-security updates
> >> based on 18.17.0 (after it has landed in unstable)?
> >
> >
> nodejs 18.19.0 has landed in testing.
> It rebuilds fine in bookworm, and test-suite-during-build pass on amd64.
> 
> It also requires "node-undici", precisely for that change:
> 
> node-undici (5.28.2+dfsg1+~cs23.11.12.3-2) unstable; urgency=medium
> 
>   * Build and publish undici-types, needed by new @types/node
> 
> Is there a way to deal with this ?

Then I guess we need this as pre-requisite upload to bookworm as well.

Maybe Moritz has a better idea, but one option is to propose this
update regularly as bookworm-pu and once it's in proposed update ask
DSA to make the security chroots pick as well updates from
prpopsoed-updates if we plan to release nodejs via a DSA (or otherwise
via bookworm-pu as well).

One other alternative is to make a non-security upload for
node-unidici containing that change to the security archive, which the
nodejs update can pick.

Regards,
Salvatore



More information about the Pkg-javascript-devel mailing list