Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libuv1 [ Reason ] libuv1 1.40.0-1 is affected by CVE-2021-22918 See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990561 In more details: > Node.js (through libuv1) is vulnerable to out-of-bounds read in > libuv's uv__idna_toascii() function which is used to convert strings > to ASCII. This is called by Node's dns module's lookup() function and > can lead to information disclosures or crashes. See https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ I've applied a patch prepared by upstream. https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829 Debdiff does not give much information besides the changelog. The patch is: https://salsa.debian.org/debian/libuv1/-/blob/debian/sid/debian/patches/fix-cve-2021-22918 [ Impact ] Without this patch, libuv1 (hence nodejs and may be raku) are vulnerable to specially crafted host names encoded in punicode. [ Tests ] Upstream patch contains specific tests that check that the vulnerability was fixed. [ Risks ] Hmm. I guess risk is low as the patch is not so big. I also trust the judgment of upstream. [ Checklist ] [X ] all changes are documented in the d/changelog [X ] I reviewed all changes and I approve them [X ] attach debdiff against the package in testing unblock libuv1/1.40.0-1
diff -Nru libuv1-1.40.0/debian/changelog libuv1-1.40.0/debian/changelog --- libuv1-1.40.0/debian/changelog 2020-10-31 18:43:46.000000000 +0100 +++ libuv1-1.40.0/debian/changelog 2021-07-04 09:43:38.000000000 +0200 @@ -1,3 +1,9 @@ +libuv1 (1.40.0-2) unstable; urgency=medium + + * add patch for CVE-2021-22918 (Closes: #990561) + + -- Dominique Dumont <d...@debian.org> Sun, 04 Jul 2021 09:43:38 +0200 + libuv1 (1.40.0-1) unstable; urgency=medium * new upstream version