Summary: | <net-libs/nodejs-{16.18.0,18.9.0}: multiple vulnerabilities via bundled undici | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | williamh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 880795 | ||
Bug Blocks: |
Description
John Helmert III
2022-08-17 23:40:58 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2d494d079a1fe48fa2624fb5782343f2f2eecb4 commit e2d494d079a1fe48fa2624fb5782343f2f2eecb4 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-08-18 16:22:28 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-08-18 16:24:07 +0000 net-libs/nodejs: add 16.17.0 Bug: https://bugs.gentoo.org/865627 Signed-off-by: William Hubbs <williamh@gentoo.org> net-libs/nodejs/Manifest | 1 + net-libs/nodejs/nodejs-16.17.0.ebuild | 225 ++++++++++++++++++++++++++++++++++ 2 files changed, 226 insertions(+) I will wait for the 14.x and 18.x releases before I stabilize anything. Does 16.17.0 bump undici to a fixed version? It does not. # grep version deps/undici/src/package.json "version": "5.8.0", Going to go hunting in nodejs git. Patches made it to 16.18.0, 18.9.0: https://github.com/nodejs/node/commit/0484122f71fdfb63fe3828ffd094ea7d35b675a9 https://github.com/nodejs/node/commit/818271c1c3b28464e10e8d87ddcb673b8bcb3e29 Unsure about 14.x Looks like undici was introduced in this PR, which was never backported to 14.x: https://github.com/nodejs/undici/pull/1183 So we need to stabilize a newer version, ideally along with fixed versions for 879617. |