[Pkg-javascript-devel] Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository
Naaz, Syeda Shagufta
syedashagufta.naaz at siemens.com
Fri Feb 7 09:23:21 GMT 2025
Package: nodejs
Version: 18.19.0+dfsg-6~deb12u2
Severity: critical
Dear Debian Community,
We are currently working with the Debian Bookworm<https://packages.debian.org/bookworm/nodejs> 12.9 release for our project and observed that the nodejs version is 18.19.0+dfsg-6~deb12u2.
However, upon reviewing the salsa-debian/bookworm<https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads> branch, we noticed that version 18.20.4+dfsg-1~deb12u1 is available, which includes fixes for multiple CVE issues, such as,
* CVE-2024-27983<https://security-tracker.debian.org/tracker/CVE-2024-27983> (8.2 HIGH)
* CVE-2024-21892<https://security-tracker.debian.org/tracker/CVE-2024-21892> (7.5 HIGH)
* CVE-2024-22019<https://security-tracker.debian.org/tracker/CVE-2024-22019> (7.5 HIGH)
These fixes are not included in the current Bookworm release. Having the severity of some of these vulnerabilities as High, we are eager for these fixes to be available.
Could you please help clarify why there is a discrepancy between the version in the Bookworm release and the one on salsa? Is there a any specific reason for the delay and, is there any fixed timeline for resolving this?
I appreciate your time and guidance on this matter.
Best Regards,
Syeda Shagufta Naaz
Senior Software Developer
SIEMENS FT FDS (Foundational Services)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250207/7b406d8f/attachment.htm>
More information about the Pkg-javascript-devel
mailing list