Your message dated Fri, 04 Dec 2020 14:45:35 +0000
with message-id <[email protected]>
and subject line Bug#976390: fixed in node-y18n 4.0.0-3
has caused the Debian Bug report #976390,
regarding node-y18n: CVE-2020-7774
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
976390: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976390
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-y18n
Version: 4.0.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/yargs/y18n/issues/96
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-y18n.
CVE-2020-7774[0]:
| This affects the package y18n before 5.0.5. PoC by po6ix: const y18n =
| require('y18n')(); y18n.setLocale('__proto__');
| y18n.updateLocale({polluted: true}); console.log(polluted); // true
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7774
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774
[1] https://github.com/yargs/y18n/issues/96
[2] https://github.com/yargs/y18n/pull/108
[3] https://snyk.io/vuln/SNYK-JS-Y18N-1021887
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-y18n
Source-Version: 4.0.0-3
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-y18n, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-y18n package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Dec 2020 15:29:40 +0100
Source: node-y18n
Architecture: source
Version: 4.0.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 976390
Changes:
node-y18n (4.0.0-3) unstable; urgency=medium
.
* Team upload
.
[ Debian Janitor ]
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Submit.
* Remove obsolete fields Contact, Name from debian/upstream/metadata
(already present in machine-readable debian/copyright).
* Update standards version to 4.4.1, no changes needed.
* Update standards version to 4.5.0, no changes needed.
.
[ Xavier Guimard ]
* Bump debhelper compatibility level to 13
* Add "Rules-Requires-Root: no"
* Use dh-sequence-nodejs
* Declare compliance with policy 4.5.1
* Modernize debian/watch
* Add test script for CVE-2020-7774
* Fix prototype pollution (Closes: #976390, CVE-2020-7774)
Checksums-Sha1:
571fef7bb8fd06c9823c642fd09694d1fb977df3 2017 node-y18n_4.0.0-3.dsc
a10e0571b2fb8dfbf7dba21843a159c1aae8f9b1 2976 node-y18n_4.0.0-3.debian.tar.xz
Checksums-Sha256:
587915f8010798d65bb9f9e0cd2326ab184d5f5372004fee08aff461fba38d36 2017
node-y18n_4.0.0-3.dsc
b5be94c5bee284755e83378579538875c4a85435e5683dc0d9ff8ce477ca8404 2976
node-y18n_4.0.0-3.debian.tar.xz
Files:
dbfe3fd157954c1e7c5ead4ce380c917 2017 javascript optional node-y18n_4.0.0-3.dsc
8a31bcdd82042f2eb28a2d6b068c2ef5 2976 javascript optional
node-y18n_4.0.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl/KSBEACgkQ9tdMp8mZ
7ulFBg//Zch8987ChcAO67GBqo1kuVj49iAgqtmUH7mIyKW6rSZoaOJLMFaezt2q
J+jzGmnAus8eTV4KncLmQMjaFfkS3TIAhZufKupZnUuq2A8p+bpuu4njS3xZdS1e
JeNWIkX/Geem2QKVVT00S8bINHdNkboALLUBb+wZ1Ly1gpcJ4jiqyxLKQPa2blTs
eyxBx8UdVZN/VW+AP+uLsXiLQEmdoDBqFmVfo7OXsjeNIHb7GqlxrCR0Za1X+7kQ
pfiKWF9XrwRBNS8DrrnbdvWtVzOoAK/eyeklLJwyoskDG8OocgZnL87Y0NWtnXuC
a0q4SOFOvsLj0QtmpLMae2gxjvM5bh3r7SEkFA/hzVUNI7MhlY20ky/MVJkHkteT
EQTI4ITycLDqbvMUnclNfnKLs70o+BuYKgpqdTs4CD7wkp09xQfaJs9pMvUMPmIr
+gEOJjHFVZ2RQS3UFwk4viZ428HDFkyu2qhfjRoqiFX3OnVOhZviCi2JFoJ3dVc7
XOrCH/tdY5SkhBvMzNdHqsNmPXa5HCL9zDNdUzaE2d/1VH/5rgN327JgBBr8p2Qm
VoGibDJFNlOgVMJulprOmJysOv8GQRla6rWo6OE8uUqlPS8r8NRw8JFeW7ZZnRsS
vJ2PjP5xG768qwWvDcupJSILOccdzUPYLNBkEa0y8iLv2be8HAg=
=+DYz
-----END PGP SIGNATURE-----
--- End Message ---
