[Pkg-javascript-devel] Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository

Jérémy Lal kapouer at melix.org
Fri Feb 7 10:59:01 GMT 2025 

Security uploads take a lot of work to ensure all reverse
(build-)dependencies of a package build and pass their test suite
successfully.
For that last upload, I in particular, lost track of time.
To help me, one can redo those verifications, and then, once several
packages failing to rebuild have been identified,
they must be fixed, proposed to bookworm, and once they are all accepted,
that version of nodejs can be proposed to bookworm too.


Le ven. 7 févr. 2025 à 11:04, Naaz, Syeda Shagufta <
syedashagufta.naaz at siemens.com> a écrit :

> Package: nodejs
>
> Version: 18.19.0+dfsg-6~deb12u2
>
> Severity: critical
>
>
>
> Dear Debian Community,
>
>
>
> We are currently working with the Debian Bookworm
> <https://packages.debian.org/bookworm/nodejs> 12.9 release for our
> project and observed that the nodejs version is *18.19.0+dfsg-6~deb12u2*.
>
>
>
> However, upon reviewing the salsa-debian/bookworm
> <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads>
> branch, we noticed that version *18.20.4+dfsg-1~deb12u1 *is available,
> which includes fixes for multiple CVE issues, such as,
>
>    - CVE-2024-27983
>    <https://security-tracker.debian.org/tracker/CVE-2024-27983> (*8.2
>    HIGH*)
>    - CVE-2024-21892
>    <https://security-tracker.debian.org/tracker/CVE-2024-21892> (*7.5
>    HIGH*)
>    - CVE-2024-22019
>    <https://security-tracker.debian.org/tracker/CVE-2024-22019> (*7.5
>    HIGH*)
>
> These fixes are not included in the current Bookworm release. Having the
> severity of some of these vulnerabilities as High,  we are eager for these
> fixes to be available.
>
>
>
> Could you please help clarify why there is a discrepancy between the
> version in the Bookworm release and the one on salsa? Is there a any
> specific reason for the delay and, is there any fixed timeline for
> resolving this?
>
>
>
> I appreciate your time and guidance on this matter.
>
>
>
> Best Regards,
>
> Syeda Shagufta Naaz
>
> Senior Software Developer
>
> *SIEMENS* *FT FDS (Foundational Services)*
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250207/4a8f1e3a/attachment.htm>

More information about the Pkg-javascript-devel mailing list