Your message dated Sun, 01 Dec 2019 17:04:19 +0000 with message-id <[email protected]> and subject line Bug#945249: fixed in angular.js 1.7.9-1 has caused the Debian Bug report #945249, regarding angular.js: CVE-2019-10768 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 945249: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945249 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: angular.js Version: 1.5.10-1 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for angular.js. CVE-2019-10768[0]: | In AngularJS before 1.7.9 the function `merge()` could be tricked into | adding or modifying properties of `Object.prototype` using a | `__proto__` payload. There is a simple POC/verifier available on [1]. angular.merge({}, JSON.parse('{"__proto__": {"xxx": "polluted"}}')); console.log(({}).xxx); If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-10768 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10768 [1] https://snyk.io/vuln/SNYK-JS-ANGULAR-534884 [2] https://github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: angular.js Source-Version: 1.7.9-1 We believe that the bug you reported is fixed in the latest version of angular.js, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated angular.js package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 01 Dec 2019 15:02:51 +0000 Source: angular.js Architecture: source Version: 1.7.9-1 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <[email protected]> Changed-By: Laszlo Boszormenyi (GCS) <[email protected]> Closes: 859513 945249 Changes: angular.js (1.7.9-1) unstable; urgency=high . * New upstream release (closes: #859513): - fixes CVE-2019-10768: function `merge()` could be tricked into adding or modifying properties of `Object.prototype` (closes: #945249). * Update watch file. * Update debhelper level to 11 . * Update Standards-Version to 4.4.1 . Checksums-Sha1: 734308d5c347eb96d58fc6a8d6d3f6a1c2e54f6e 1791 angular.js_1.7.9-1.dsc 2455412e08c6990c7f2a98cda4f9d43c87b98c0e 21371357 angular.js_1.7.9.orig.tar.gz 9b01f5099281ce57178c0c6e7cbc8ad0d57dc7ec 17960 angular.js_1.7.9-1.debian.tar.xz Checksums-Sha256: 66871776a5f07e6d6a8b3de36df88f3c3eeb273117603bc3411025a83265e743 1791 angular.js_1.7.9-1.dsc 30722798c02b527b9b4952596a21b4e10d1f26928365134bbd245b9709b7d972 21371357 angular.js_1.7.9.orig.tar.gz 3ffaf6d62e93c6770cb6e279b3c64082d0c023c6827dfa1e2e6588d2b75bf626 17960 angular.js_1.7.9-1.debian.tar.xz Files: 371dfca20782f4b026cab4fe1210dcf2 1791 javascript optional angular.js_1.7.9-1.dsc b7c0fdbd2b130348cb012377b6c50448 21371357 javascript optional angular.js_1.7.9.orig.tar.gz ea448c049dcea3389e4357f19104ee16 17960 javascript optional angular.js_1.7.9-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAl3j7KMACgkQ3OMQ54ZM yL+NhQ//cP2q+y7fBZ3MLgZwf0PYDQiQzykoATmababsjCj+J643j3crfunP8A11 q/rex0O9BALk4dQiExF/jkC779Ebb0DEjtzxe3IbpnvUGJjIDt1TYACrXhnqPeWN NdmhLNok8Fw9CZznK4w4abMyD/1rQAMwZYkprlzF1JdQxFtk0T0/p+ra9Kj6CSS9 sHpknbDNtDTJqOP6wj6HpC+iHm/lREk+VvrGW2RFLLRSItBf81UlY5m1q7iXM4N0 TbKa/eb46EhdvU4hwIvLw1wOS9/OBsUfuOcjnL/PjhGNdeNchzf+vFPWsE8ol8MV 7P1OqcM0YLVZ0IABwnoXmfScuS5gZHXmqGTr3wpcatOFbakEntzQ1JpTvAbsuiC4 FNrdje/ah+clvHBzAK+po9mAcNuZ1aG+TGSItIQ5ZIIGu2suX87mQyNZQmWQ4lXP vbL3WDekSVaDsGZSfNCnZFR3Cf3RkC0EQVBxoE5tk6dYZ8fRtQdOcUybF0kt3ioz gpvUsgpXuSDW7YW1HrHKxal7zVGW5AEr+3DYclrAt123NxpL00msCpHwIUwFSIL4 jJHPYM4npwjlNQ0vhgITt/qw+vzfcug33UC+92EID0+/v/+UWkBS7tBe+f1qhlHP mTOedbYvS3mJqo1NT5B1Wo+ZOh8eGLyAuVsFCk1uxL2G7WZGZ5k= =i8nz -----END PGP SIGNATURE-----
--- End Message ---
