Your message dated Sun, 29 May 2022 18:32:09 +0000
with message-id <[email protected]>
and subject line Bug#1010359: fixed in node-ejs 2.5.7-3+deb11u1
has caused the Debian Bug report #1010359,
regarding node-ejs: CVE-2022-29078 server-side template injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1010359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-ejs
Version: 3.1.6-3
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Hi,
The following vulnerability was published for node-ejs.
CVE-2022-29078[0]:
| The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js
| allows server-side template injection in settings[view
| options][outputFunctionName]. This is parsed as an internal option,
| and overwrites the outputFunctionName option with an arbitrary OS
| command (which is executed upon template compilation).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-29078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: node-ejs
Source-Version: 2.5.7-3+deb11u1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-ejs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-ejs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Apr 2022 06:59:25 +0200
Source: node-ejs
Architecture: source
Version: 2.5.7-3+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1010359
Changes:
node-ejs (2.5.7-3+deb11u1) bullseye; urgency=medium
.
* Team upload
* Sanitize options and new objects (Closes: #1010359, CVE-2022-29078)
Checksums-Sha1:
709d8ea32b4a3cfa2043e088915bbf004a96d96a 2042 node-ejs_2.5.7-3+deb11u1.dsc
fc50833648341bc0e5b8914bec40e15894da8c2a 9100
node-ejs_2.5.7-3+deb11u1.debian.tar.xz
Checksums-Sha256:
69390b60eb84b6ca36922813359bc847856db0652ec603c88da781b2b8bc9621 2042
node-ejs_2.5.7-3+deb11u1.dsc
f133a98a73caeb6b65343ea73e05a325e65321893a38688adca8f0524483e224 9100
node-ejs_2.5.7-3+deb11u1.debian.tar.xz
Files:
76e73c8d8ea0f62a8832d92848cbdd6b 2042 javascript optional
node-ejs_2.5.7-3+deb11u1.dsc
86db6f0e656ece1235fd4f61c66e87a6 9100 javascript optional
node-ejs_2.5.7-3+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmKTC5YACgkQ9tdMp8mZ
7unJDw/+PLMKrmwi5zPs05h17TZNdWfuk4hYNPtZqJZ7Q586jnQGNw2ghmlKK9cm
mnJe+Tw0h3QiLuMCZkIGYW1tZuGYZ7Ri2SrLmJchp74G2ThS32OVUN5sT8g45Osh
sLlQseZNzNvKSK1VTPkPuM5l+LEGcKcY/cJNVMZsL222JtGacBOTfdAURf/0GmAP
m3p7uQYiO+WVty6KsTk5cykNIAOxj3kxUuim+3UgC/F96mJ8h9Qh+mkjqGj2lGaf
8XseDiz5nkCo9EsYw57iwt6ELu1Fn2pp/OL9Y60aXzTde61XNG8eF5peXGaU3WPN
f/q8+u8bxynSsTGAz22q/b8Q7VZCe/dVHGRwryz6jQ8rgtKtgmAYUcrcZep4pFi0
Ygx0OqmE/CAANY/DOoRzc7Mu1cDBJsBrMVNhJldwSUnpy1wr5Y+m0WRw1ry/aHx5
170brXbyYeOmWXZpeA2wSfB2PMhONkYJW8+0axEIkcfYHEzf7r8TkVMyPKHe8NQD
U6oCFjyEZOvJAAkrGE0KjIjucwBi4Zia1r2L/vJEPl29tevLmwW7r0fyS9gmeLSL
x1y+CXFFQA5Mf+y4v3fEB++GUI5K4np/gX01NAz5ptY30vCfxwFXCyR/ITKyH24h
nIYH3gjV84x/w/gP6tbQgIPDs4MqMyjmDgDfN/Mam8lEES3xX7k=
=vwmn
-----END PGP SIGNATURE-----
--- End Message ---
