Your message dated Fri, 10 Jul 2020 15:49:46 +0000
with message-id <[email protected]>
and subject line Bug#964746: fixed in npm 6.14.6+ds-1
has caused the Debian Bug report #964746,
regarding npm: CVE-2020-15095
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
964746: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964746
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: npm
Version: 6.14.5+ds-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for npm.
CVE-2020-15095[0]:
| Versions of the npm CLI prior to 6.14.6 are vulnerable to an
| information exposure vulnerability through log files. The CLI supports
| URLs like "<protocol>://[<user>[:<password>]@]<ho
| stname>[:<port>][:][/]<path>". The password value is
| not redacted and is printed to stdout and also to any generated log
| files.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-15095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15095
[1] https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
[2] https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: npm
Source-Version: 6.14.6+ds-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
npm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated npm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 10 Jul 2020 11:51:25 +0200
Source: npm
Architecture: source
Version: 6.14.6+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 963539 964746
Changes:
npm (6.14.6+ds-1) unstable; urgency=medium
.
* Team upload
.
[ Gianfranco Costamagna ]
* Increase whoami with bearer auth timeout (Closes: #963539)
.
[ Xavier Guimard ]
* New upstream version 6.14.6+ds (Closes: #964746, CVE-2020-15095)
* Disable new doctor-ping-registry-404 test (which needs some binary files)
Checksums-Sha1:
55acf5dfa220400bd3aaa2fe10ebe2f02237cd36 6736 npm_6.14.6+ds-1.dsc
23bf7d05e101d0c7af3a49b5e3bb834b054b4b09 1429116 npm_6.14.6+ds.orig.tar.xz
c99670ab2ed80f5f0a54cb4a46955d256c06937f 42592 npm_6.14.6+ds-1.debian.tar.xz
Checksums-Sha256:
7b150ea5f1f7d199bd3ba929832f3732f5945fa2dc80c1f7f1866c2ff7a68373 6736
npm_6.14.6+ds-1.dsc
b4fdbae49693b2457cf556f1c666feadc54df1098e71a3b71bc2fbc0f053af57 1429116
npm_6.14.6+ds.orig.tar.xz
076d554ea7fcfbb59e3f0fc08f1625a905e141400ef707584a9988d40f862919 42592
npm_6.14.6+ds-1.debian.tar.xz
Files:
f2b97ee43d02cfa12a680c18590fb8ef 6736 javascript optional npm_6.14.6+ds-1.dsc
0d7c49e10a35c6346dd575d764a21bd3 1429116 javascript optional
npm_6.14.6+ds.orig.tar.xz
e710999ee435112d6c1921f11c3c51c2 42592 javascript optional
npm_6.14.6+ds-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl8IiRwACgkQ9tdMp8mZ
7ul8Dg//ddLkmqXVowzXV44gSmIXsKueX1T57Hzp/gfoS0IGr4os77zSR9Lk/I4+
+dGcnl6d0vL1st95+yNja8FEbDQK9sAPG6dG/Wd7oNgWi5pMjYKGQUke8SRc/lMR
rAnDh8wruFkrwBsGjWWiPVhkMZVB5FIQu0RsJKp7XEQNPfMBSmN2P1aXiNtrKAkH
2zaYBTnQ/VOIky6etT0+peRLZTO2uOQ/PKrg0nCUax3Yq4LRAamfKO1kiRCyZPUO
b8SOYsUpTmr30c9cd4lHsRAuo6h9bgOU0alX4bPLKoC8bI6Qs3oVBaOBK0ci4pHe
/mxY/khPZHD7ubf5SHO8zf5zvyiHisM9KW5NOn1freJP+b8EJpYHbIlQI7ao+fEr
VP7mspMpzO0t9esFk+u4ZUNKuTTxw9h6CkFm5g5ztbZ/jlDyo/ShOss/5DSGFDzZ
fcPcFt/9KuOf71/fg0sv6PghSE9kP/nF5VoO7qjtD8byaeTBVnZwqPgeHhobn0NZ
lVNfC55pMOQTeI5I7cPfh2pJY276VlFVBE1kSpf1dpOe7bJJvMgNsM/AgrAIZWZF
/xNJ95BOrCK5dTHwmwNBp4xOYg5i+NOebR4Ig4OTgvmfwtv+3Swg8asXnpsYdtKM
nRz4f8g4KzQ4lA77OLYKfd16BTgHo798qT4n4LDPK1ThVvx4l1Y=
=LzL6
-----END PGP SIGNATURE-----
--- End Message ---
