Hi,
If sponsored packages are already handled, and we have time to fix this
package, and I think we can fix it.
I think we need to evaluate a package's usage only when fixing is
problematic (time constraints, backport issues, uncooperative
upstream...). Package usage would then be used among other elements to
make a decision about the supporting the package further.
That doesn't appear to be the case here, so I'll add it to dla-needed.txt.
Cheers!
Sylvain
On 09/09/2022 23:45, Ola Lundqvist wrote:
Hi follow LTS contributors
It is this kind of question again. "Is it worth it?".
We have CVE-2020-7677 on node-thenify.
According to popcorn we have three installations. That is of course a
lower end number since popcorn only counts the popcorn users, but anyway
it indicates that the installation number is really low. It is in fact
the lowest popcorn score I have seen so far.
Then about the vulnerability itself. It is an arbitrary code execution,
but it is on the client side, and the user have get some code injected
into it that is passed to this function. This means you have to find
some other code that use this functionality and in some way pass it
through. It can be done but the likelihood is lower.
Further I can see that node-* packages were unsupported in stretch. They
seem to be in buster however.
Quite a lot of node-* packages have fairly severe issues declared as
minor issues. I could not find any arbitrary code execution
vulnerabilities though.
So my question is, should we fix node-thenify?
I guess so but I want to raise the question.