Your message dated Sat, 19 Dec 2020 18:35:42 +0000
with message-id <[email protected]>
and subject line Bug#977718: fixed in node-ini 2.0.0-1
has caused the Debian Bug report #977718,
regarding node-ini: CVE-2020-7788
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
977718: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977718
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-ini
Version: 1.3.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-ini.
CVE-2020-7788[0]:
| This affects the package ini before 1.3.6. If an attacker submits a
| malicious INI file to an application that parses it with ini.parse,
| they will pollute the prototype on the application. This can be
| exploited further depending on the context.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
[1] https://snyk.io/vuln/SNYK-JS-INI-1048974
[2] https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-ini
Source-Version: 2.0.0-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-ini, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-ini package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 19 Dec 2020 18:52:24 +0100
Source: node-ini
Architecture: source
Version: 2.0.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 977718
Changes:
node-ini (2.0.0-1) unstable; urgency=medium
.
* Team upload
.
[ Debian Janitor ]
* Trim trailing whitespace.
* Use secure copyright file specification URI.
* Bump debhelper from old 11 to 12.
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database, Repository, Repository-
Browse.
* Set upstream metadata fields: Bug-Submit.
* Apply multi-arch hints. + node-ini: Add Multi-Arch: foreign.
.
[ Xavier Guimard ]
* Bump debhelper compatibility level to 13
* Declare compliance with policy 4.5.1
* Add "Rules-Requires-Root: no"
* Add debian/gbp.conf
* Modernize debian/watch
* Use dh-sequence-nodejs auto test & install
* New upstream version 2.0.0 (Closes: #977718)
Checksums-Sha1:
d7845f5fdf5a4f8177647d7b8e9a85dec7b9972d 1986 node-ini_2.0.0-1.dsc
208f8327372c15caa098cb7d3e0b2467085532a5 109383 node-ini_2.0.0.orig.tar.gz
3737f96966d68947ef4abe3f31dd7efb4f075708 2708 node-ini_2.0.0-1.debian.tar.xz
Checksums-Sha256:
357b0f9ab337bd7c697f94c3e98d63c0f9859e64883e62bef0fafd8910256ed7 1986
node-ini_2.0.0-1.dsc
c01dfc6d190c6f1d770cfb84490461415c9d67ac6e77b5335cbe17184cf5f891 109383
node-ini_2.0.0.orig.tar.gz
9d65e1936e2846cab2944840dd895b8b33eb30938c625abd200b2d4529c2b77e 2708
node-ini_2.0.0-1.debian.tar.xz
Files:
71a124b6c2232acf1e4f59cc4d8146c7 1986 javascript optional node-ini_2.0.0-1.dsc
ed326280ce9b7539098f4e999f0b0cf8 109383 javascript optional
node-ini_2.0.0.orig.tar.gz
0102de59c8698e87c1d683bd777ec527 2708 javascript optional
node-ini_2.0.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl/ePmIACgkQ9tdMp8mZ
7ukjjg/+POvK0PXYplzdJBKmu0u3iXfvfF5ukmzJkAlgBha6NUk2dDEv7aqP1CD+
D86DwIyt0OSmCupjv72kevohV2z9x1OK7evEjCV5tDwciJBRcjBgoDchreZ8HoM1
k++q80U3H0rlbG83RuFuBk80qPEyry+8gdRpfN5BLFDZVioW27vD2Gk1VDERBh62
RG6wAPVugEs9IbjYq/E0tATTwyjtDRX9OBZhFe7JL69ADgXQwyVJ3H3UPysiX/en
xM77h9obMF5ADs0O5V0Hx/77uSMH82X3foz4gBqc3wBMRP8q0WJGr3KyzSh5sc9Y
Dwk6iQd8RSbQh1qPcX4afoPoZ/62A7zOAotorSLDjWNyKNsw+zVqOuuDX/mtrX2a
c7k7v4fL9yh4SknxD6MVDjJPuYlD/7fqZ6+DSem3O0f+eQalELMrdkpus38ApwSt
JHVCYxay2dd0BSemUAwHMNQid04wBWqOQK2kmwtRwiG5I2ONZDaJcp8joWZaeJWH
JXWgfHvvJiffSphG66Iy0JuPCaNU4sdYsEC6zcm/9r7l8an4tGDxjMKsIk6D89DO
f27OpHZNUoWkv1d3ITn/cLebGA4qzg3Z2VF/ptlNsVBPNLqGm8n+hlLfxOoJ8O0o
UGmY3bFcKrHJ5QU4YR134f+ykbyFBamPim0CfEqDn5E8EwAkLTw=
=xZT9
-----END PGP SIGNATURE-----
--- End Message ---
