Your message dated Sun, 20 Dec 2020 18:47:08 +0000
with message-id <[email protected]>
and subject line Bug#976390: fixed in node-y18n 3.2.1-2+deb10u1
has caused the Debian Bug report #976390,
regarding node-y18n: CVE-2020-7774
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
976390: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976390
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-y18n
Version: 4.0.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/yargs/y18n/issues/96
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-y18n.
CVE-2020-7774[0]:
| This affects the package y18n before 5.0.5. PoC by po6ix: const y18n =
| require('y18n')(); y18n.setLocale('__proto__');
| y18n.updateLocale({polluted: true}); console.log(polluted); // true
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7774
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774
[1] https://github.com/yargs/y18n/issues/96
[2] https://github.com/yargs/y18n/pull/108
[3] https://snyk.io/vuln/SNYK-JS-Y18N-1021887
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-y18n
Source-Version: 3.2.1-2+deb10u1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-y18n, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-y18n package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Dec 2020 15:41:08 +0100
Source: node-y18n
Binary: node-y18n
Architecture: source all
Version: 3.2.1-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Description:
node-y18n - bare-bones internationalization library used by yargs
Closes: 976390
Changes:
node-y18n (3.2.1-2+deb10u1) buster; urgency=medium
.
* Team upload.
* Fix prototype pollution (Closes: #976390, CVE-2020-7774)
Checksums-Sha1:
f02fe21a007f8a094ca8a068cbd9420b7cfa1ed0 2119 node-y18n_3.2.1-2+deb10u1.dsc
44c00bde4e6d0374509b8addd75a45364d0662e8 2476
node-y18n_3.2.1-2+deb10u1.debian.tar.xz
17ddcc42ccbe0bda6f4dbc39c1096ec1d9e6d648 4924 node-y18n_3.2.1-2+deb10u1_all.deb
d35636ed650292e49516a5e4c46992157b2dd379 7491
node-y18n_3.2.1-2+deb10u1_amd64.buildinfo
Checksums-Sha256:
43611335070b4981a7e8dce03df6e7e5901f70b1d74e01bdc208a12a5657e7be 2119
node-y18n_3.2.1-2+deb10u1.dsc
5ab3fa4fd8b2a5f792aff4f72ca230aa2b1847a25c3017e456a1bfb0feb59f4f 2476
node-y18n_3.2.1-2+deb10u1.debian.tar.xz
a53b401dca3e865cd126fb7cbe7df729847600395ab9ad10ec6b0d7dc6569b4f 4924
node-y18n_3.2.1-2+deb10u1_all.deb
c28adb01cd1bc2dc77188686618a4a37355b833ef9389753297b195798bc5e7e 7491
node-y18n_3.2.1-2+deb10u1_amd64.buildinfo
Files:
50360b459c1ae7c53387285b5949decc 2119 web optional
node-y18n_3.2.1-2+deb10u1.dsc
410614c11f77b826a0272e45dc4ebcf5 2476 web optional
node-y18n_3.2.1-2+deb10u1.debian.tar.xz
7befa28b1a5e4540dac1355d0ba0a04e 4924 web optional
node-y18n_3.2.1-2+deb10u1_all.deb
fffa496a93da9d3bc54eb1abc7ed445e 7491 web optional
node-y18n_3.2.1-2+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl/KTBsQHHlhZGRAZGVi
aWFuLm9yZwAKCRD210ynyZnu6flGD/0TiYgT3mzwYF7JXJi8lpcZFxjBt67qSB/B
P4CYysn73D75uEc2sQioWNapeJp4bVeV4qAgknHw+aXFgQIBiky4bUCiAMsMpnVw
imv9XBAR/PNTaI0W8Vpt2Adicq9OTWKHScnl/5N11jEALuTcAaaOIfOOndApbkM/
t/eyro2b91o+diALAliwJy4aUXOyWzvOQkO/5EcmENlUUY8TJYQzGclH9I+gfWFU
vTfPqRsfn1NO5+3BIpgnzFiSDJkAggZgRNjV7ox4Oej4HxLqQbS11wB5fsg2IyLd
OskP97hjRlv48MipRPNCwjq8H4dRuws0i9bxDfgz0MpJr1yuEo5blCdiVg70nHm2
Sw89ECaSwTg6JOFtZQWcJFipCP9Aeval7fucdtEEd9qifrbG5c/0nhExnddcXiPZ
1OOcqBxG1kK6w5bC2+mGngao1Z+bKB2kLuO3l5J9hvaGgFlCIuRjNio2lJGpJnG9
kdNVOhJLWfmklUMHJI/CzNW99fIlbV6Rorkc+0lvr2VtHvEQjFvDvXwQZx0Hfq02
CM92/ta/JUG/QN5MQuxM8cAJPm+tcd1WHzWvfkamzrmaoBjuAqA/j9qFbGmDJMHV
AkpRkX/x2sl+e1mX1dJRn3zQEwld6BzeGT2RxZyk/FhiB7lVsBlgQg0YgMPjnZJ8
AFmjTb+GIg==
=Texp
-----END PGP SIGNATURE-----
--- End Message ---
