Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id
<d50ba4de424290cd2840a09ef19950156fcf51ab.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #953614,
regarding buster-pu: package dojo/1.14.2+dfsg1-1+deb10u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
953614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953614
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Hi,
2 new vulnerabilities have been published for dojo: prototype
pollutions. I imported the 2 upstream fixes here.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index f2dfbd6c..d4aae875 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+dojo (1.14.2+dfsg1-1+deb10u2) buster; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution in deepCopy method (Closes: #953585,
+ CVE-2020-5258)
+ * Fix Prototype Pollution in jqMix method (Closes: #953587, CVE-2020-5259)
+
+ -- Xavier Guimard <[email protected]> Wed, 11 Mar 2020 06:18:23 +0100
+
dojo (1.14.2+dfsg1-1+deb10u1) buster; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2020-5258.diff
b/debian/patches/CVE-2020-5258.diff
new file mode 100644
index 00000000..4aefd61d
--- /dev/null
+++ b/debian/patches/CVE-2020-5258.diff
@@ -0,0 +1,20 @@
+Description: fix Prototype Pollution
+Author: Nick Nisi
+Origin: upstream, https://github.com/dojo/dojox/commit/c5901be1
+Bug: https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2
+Bug-Debian: https://bugs.debian.org/953585
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <[email protected]>
+Last-Update: 2020-03-11
+
+--- a/dojo/request/util.js
++++ b/dojo/request/util.js
+@@ -13,7 +13,7 @@
+ for (var name in source) {
+ var tval = target[name],
+ sval = source[name];
+- if (tval !== sval) {
++ if (name !== '__proto__' && tval !== sval) {
+ if (sval && typeof sval === 'object' &&
!(has('native-formdata') && sval instanceof FormData)) {
+ if
(Object.prototype.toString.call(sval) === '[object Date]') { // use this date
test to handle crossing frame boundaries
+ target[name] = new Date(sval);
diff --git a/debian/patches/CVE-2020-5259.diff
b/debian/patches/CVE-2020-5259.diff
new file mode 100644
index 00000000..3d05ed7e
--- /dev/null
+++ b/debian/patches/CVE-2020-5259.diff
@@ -0,0 +1,20 @@
+Description: fix prototype pollution in jqMix method
+Author: Nick Nisi
+Origin: upstream, https://github.com/dojo/dojox/commit/c5901be1
+Bug: https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
+Bug-Debian: https://bugs.debian.org/953587
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <[email protected]>
+Last-Update: 2020-03-11
+
+--- a/dojox/jq.js
++++ b/dojox/jq.js
+@@ -455,7 +455,7 @@
+ // inherited from Object.prototype. For example, if
obj has a custom
+ // toString() method, don't overwrite it with the
toString() method
+ // that props inherited from Object.prototype
+- if((tobj[x] === undefined || tobj[x] != props[x]) &&
props[x] !== undefined && obj != props[x]){
++ if(x !== '__proto__ ' && ((tobj[x] === undefined ||
tobj[x] != props[x])) && props[x] !== undefined && obj != props[x]){
+ if(dojo.isObject(obj[x]) &&
dojo.isObject(props[x])){
+ if(dojo.isArray(props[x])){
+ obj[x] = props[x];
diff --git a/debian/patches/series b/debian/patches/series
index b0f5ff11..d5b7db42 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@
0002-Do-notrun-test-suite-in-build.patch
0003-Disable-flash-storage.patch
CVE-2019-10785.patch
+CVE-2020-5258.diff
+CVE-2020-5259.diff
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.6
Hi,
Each of these bugs relates to an update that was included in today's
stable point release.
Regards,
Adam
--- End Message ---
