Bug#1010359: marked as done (node-ejs: CVE-2022-29078 server-side template injection)

Fri, 29 Apr 2022 07:57:15 -0700 

Your message dated Fri, 29 Apr 2022 16:52:35 +0200
with message-id <[email protected]>
and subject line Re: Bug#1010359: node-ejs: CVE-2022-29078 server-side template 
injection
has caused the Debian Bug report #1010359,
regarding node-ejs: CVE-2022-29078 server-side template injection
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1010359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: node-ejs
Version: 3.1.6-3
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team 
<[email protected]>

Hi,

The following vulnerability was published for node-ejs.

CVE-2022-29078[0]:
| The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js
| allows server-side template injection in settings[view
| options][outputFunctionName]. This is parsed as an internal option,
| and overwrites the outputFunctionName option with an arbitrary OS
| command (which is executed upon template compilation).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-29078
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078

Please adjust the affected versions in the BTS as needed.

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Source: node-ejs
Source-Version: 3.1.7-1

Fixed with 3.1.7-1 upload to unstable:

https://tracker.debian.org/news/1321607/accepted-node-ejs-317-1-source-into-unstable/

Regards,
Salvatore

--- End Message ---

Reply via email to