Forum: Too Lazy BBS

Who's Online
Recent Visitors
- Guest
  Sun May 18 01:43:09 2025
  from �n�� via SSH
- Daniel Garrod
  Thu May 15 08:12:31 2025
  from Cambridge, Uk via Telnet
- Daniel Garrod
  Wed May 14 09:33:55 2025
  from Cambridge, Uk via Telnet
- Amr
  Sun May 11 19:13:33 2025
  from Fayetteville, Nc via Telnet

System Info

Sysop:	Amessyroom
Location:	Fayetteville, NC
Users:	28
Nodes:	6 (0 / 6)
Uptime:	44:07:09
Calls:	422
Calls today:	1
Files:	1,024
Messages:	90,216

Bug#1105832: Followup question on CVE-2024-27982

From =?UTF-8?B?SsOpcsOpbXkgTGFs?=@21:1/5 to All on Fri May 16 09:00:01 2025

Le ven. 16 mai 2025 ├á 08:00, Salvatore Bonaccorso <carnil@debian.org> a
├⌐crit :

Hi Jeremy,

On Thu, May 15, 2025 at 10:50:34PM +0200, J├⌐r├⌐my Lal wrote:

Also https://nodejs.org/en/blog/release/v20.19.2/
mentions
CVE-2024-27982 http: do not allow OBS fold in headers by default

Question on this one, this was already fixed in v18.20.1 and we did
got the fix included in 18.20.1+dfsg-1 correct? Did we lost the fix afterwards?

Yes, the fix was applied April 2, 2024 on the 18.x branch.
No, it wasn't lost.

Do we likely have other such problems (maybe from the april 2024

release CVEs)?

This looks more likely to be badly generated changelog, because https://github.com/nodejs/node/commits/v20.x/deps/llhttp
shows that the patch has been applied to branch 20.x in april 2024,
then in the same minute after llhttp update the patch is reapplied, so
there's no mistake.

So CVE-2024-27982 has always stayed fixed, and we can forget about it.

J├⌐r├⌐my

<div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le┬áven. 16 mai 2025 ├á┬á08:00, Salvatore Bonaccorso <<a href="mailto:carnil@debian.org" target="_blank">carnil@debian.org</a>> a ├
⌐crit┬á:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Jeremy,<br>

On Thu, May 15, 2025 at 10:50:34PM +0200, J├⌐r├⌐my Lal wrote:<br>
> Also <a href="https://nodejs.org/en/blog/release/v20.19.2/" rel="noreferrer" target="_blank">https://nodejs.org/en/blog/release/v20.19.2/</a><br>
> mentions<br>
> CVE-2024-27982 http: do not allow OBS fold in headers by default<br>

Question on this one, this was already fixed in v18.20.1 and we did<br>
got the fix included in 18.20.1+dfsg-1 correct? Did we lost the fix<br> afterwards?<br></blockquote><div><br></div><div>Yes, the fix was applied April 2, 2024 on the 18.x branch.</div><div>No, it wasn't lost.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,
204,204);padding-left:1ex">
Do we likely have other such problems (maybe from the april 2024<br>
release CVEs)?<br></blockquote><div><br></div><div><div>This looks more likely to be badly generated changelog, because</div><div><a href="https://github.com/nodejs/node/commits/v20.x/deps/llhttp">https://github.com/nodejs/node/commits/v20.x/deps/llhttp</

</div><div>shows that the patch has been applied to branch 20.x in april 2024,</div><div>then in the same minute after llhttp update the┬ápatch is reapplied, so there's no mistake.</div></div><div><br></div><div>So CVE-2024-27982 has always stayed

fixed, and we can forget about it.</div><div><br></div><div>J├⌐r├⌐my</div></div></div>
</div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online

Recent Visitors

System Info

Bug#1105832: Followup question on CVE-2024-27982