[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Moritz Muehlenhoff
jmm at inutil.org
Thu Dec 21 09:34:42 GMT 2023
On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso wrote:
> Hi,
>
> [CC'ing node-undici uploader]
> > >> Ack, let's do that. Could you prepare bookworm-security updates
> > >> based on 18.17.0 (after it has landed in unstable)?
> > >
> > nodejs 18.19.0 has landed in testing.
> > It rebuilds fine in bookworm, and test-suite-during-build pass on amd64.
> >
> > It also requires "node-undici", precisely for that change:
> >
> > node-undici (5.28.2+dfsg1+~cs23.11.12.3-2) unstable; urgency=medium
> >
> > * Build and publish undici-types, needed by new @types/node
> >
> > Is there a way to deal with this ?
>
> Then I guess we need this as pre-requisite upload to bookworm as well.
>
> Maybe Moritz has a better idea, but one option is to propose this
> update regularly as bookworm-pu and once it's in proposed update ask
> DSA to make the security chroots pick as well updates from
> prpopsoed-updates if we plan to release nodejs via a DSA (or otherwise
> via bookworm-pu as well).
>
> One other alternative is to make a non-security upload for
> node-unidici containing that change to the security archive, which the
> nodejs update can pick.
I think we can handle it similar to what we recently did when OpenJDK bumped
it's requirement for jtreg: When we have a suitable update for node-undici
we upload it to security-master and the security buildds will be able to
use it to build the new nodejs. And then it simply gets released along with
the nodejs update.
Cheers,
Moritz
More information about the Pkg-javascript-devel
mailing list