[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590

Wed Dec 27 17:21:00 GMT 2023

Am Wed, Dec 27, 2023 at 05:18:52PM +0100 schrieb Jérémy Lal:
> Le mer. 27 déc. 2023 à 17:16, Moritz Mühlenhoff <jmm at inutil.org> a écrit :
> 
> > [ Also adding Paul Gevers for awareness, for context we're bumping nodejs
> >   in Bookworm to the latest 18.x security/LTS release ]
> >
> > On Wed, Dec 27, 2023 at 03:03:20PM +0100 Jérémy Lal wrote:
> >
> > > I don't think so, there are all either node-undici-related, or just test
> > > suites regressions.
> > > Here are the details:
> > >
> > > node-zx is a regression in the test suite only, fixed there:
> > >
> > https://salsa.debian.org/js-team/node-zx/-/commit/a7d2861413480261890db147ea367a252192c9f2
> > >
> > > node-yaml is caused by missing node-undici
> > >
> > > node-v8-compile-cache is a regression in the test suite only, fixed
> > there:
> > >
> > https://salsa.debian.org/js-team/node-v8-compile-cache/-/commit/df42bdbfe84811e4da11d8c3d8ef3148d8a77bcc
> > >
> > > node-babel7 is a regression in the test suite, fixed there:
> > >
> > https://salsa.debian.org/js-team/node-babel/-/commit/e5c88f4d765e4d64b60c9cf333dedb89abba39c5
> > >
> > > node-re2 is caused by missing node-undici
> >
> > Great, thanks for the detailed analysis!
> >
> > This means the update to .19 will regress autopkgtests for node-zx,
> > node-v8-compile-cache
> > and node-babel7, but since these are all only test suite regressions, we
> > can just go
> > ahead and fix the tests in a subsequent bookworm point update, ok?
> >
> 
> Ok, so I suppose js-team would need to upload those three packages to t-p-u

Indeed: Not testing-proposed-updates (which is only for the testing distribution), but
instead for stable-proposed-updates, which is a very similar process:
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-uploads-to-the-stable-and-oldstable-distributions

Cheers,
        Moritz