Summary: | <net-libs/nodejs-{6.17.0,8.15.1,10.15.2,11.10.1}: multiple vulnerabilities (CVE-2019-{5737,5739}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hydrapolic, jer, leho |
Priority: | Normal | Flags: | stable-bot:
sanity-check-
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/ | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=698720 | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: |
net-libs/nodejs-8.16.2
net-libs/nodejs-12.13.0
net-libs/http-parser-2.9.2
=net-libs/nodejs-10.17.0
|
Runtime testing required: | --- |
Bug Depends on: | 708458 | ||
Bug Blocks: |
Description
Jeroen Roovers (RETIRED)
2019-03-01 10:30:13 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. @ maintainer(s): Please call for stabilization on your own or advice. Without any feedback we will stabilize latest LTS version next week. Adding =net-libs/nodejs-8.16.2 to list for <openssl-1.1.1 users. An automated check of this bug failed - repoman reported dependency errors (770 lines truncated):
> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=net-libs/http-parser-2.9.0:=']
An automated check of this bug failed - repoman reported dependency errors (382 lines truncated):
> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
Moved stabilization of =dev-libs/libuv-1.33.1 =net-dns/c-ares-1.15.0 to own, dedicated bugs due to different keywords. x86 stable x86 stable arm64 stable Hi Jeroen. Is there anything still blocking amd64 stabilization? Some of my packages are starting to require Node 10 as a hard dependency, been looking for an opportunity to upgrade from Node 8. Anything I or anyone can do to help? amd64 stable An automated check of this bug failed - the following atoms are unknown: net-libs/nodejs-8.16.2 net-libs/nodejs-12.13.0 net-libs/nodejs-10.17.0 Please verify the atom list. GLSA Vote: No Stabilization/cleanup blocked by bug 702988. An automated check of this bug failed - the following atoms are unknown: net-libs/nodejs-8.16.2 net-libs/nodejs-12.13.0 net-libs/nodejs-10.17.0 Please verify the atom list. Added to an existing GLSA. This issue was resolved and addressed in GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48 by GLSA coordinator Thomas Deutschmann (whissi). Superseded by bug 708458. |