Your message dated Sun, 13 Oct 2019 19:17:10 +0000
with message-id <[email protected]>
and subject line Bug#941189: fixed in node-set-value 0.4.0-1+deb10u1
has caused the Debian Bug report #941189,
regarding node-set-value: CVE-2019-10747
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
941189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941189
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-set-value
Version: 0.4.0-1
Severity: important
Tags: security upstream
Control: found -1 3.0.0-1
Hi,
The following vulnerability was published for node-set-value.
CVE-2019-10747[0]:
| set-value is vulnerable to Prototype Pollution in versions lower than
| 3.0.1. The function mixin-deep could be tricked into adding or
| modifying properties of Object.prototype using any of the constructor,
| prototype and _proto_ payloads.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10747
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747
[1] https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-set-value
Source-Version: 0.4.0-1+deb10u1
We believe that the bug you reported is fixed in the latest version of
node-set-value, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-set-value package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 26 Sep 2019 07:27:54 +0200
Source: node-set-value
Architecture: source
Version: 0.4.0-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 941189
Changes:
node-set-value (0.4.0-1+deb10u1) buster; urgency=medium
.
* Team upload
* Fix prototype pollution (Closes: #941189, CVE-2019-10747)
* Add test for CVE-2019-10747
Checksums-Sha1:
9d2c5bf927437989e824bf1aef7a67098cb30ff5 2220
node-set-value_0.4.0-1+deb10u1.dsc
f4dfe860088e6ccb8f374ec2610b07473e97ebe5 5619 node-set-value_0.4.0.orig.tar.gz
40aea7e0635627fa13053405a7698ca08a026f8b 2796
node-set-value_0.4.0-1+deb10u1.debian.tar.xz
Checksums-Sha256:
24bad46a0536b10e4166b98b7d76c629fbed2fb726616f0343cff52abd3cdb82 2220
node-set-value_0.4.0-1+deb10u1.dsc
70f52e5305e17f2a374efd3aa6eadb2d5ce4cb283350a80c334c7ec493c89466 5619
node-set-value_0.4.0.orig.tar.gz
51aafcc4261fc892d1b705926b062e96a0636b9f747002aa84a138977a1cd34e 2796
node-set-value_0.4.0-1+deb10u1.debian.tar.xz
Files:
93eebe8ab3d7e59f7d25cd13ecba3c8f 2220 web optional
node-set-value_0.4.0-1+deb10u1.dsc
e7cfaa9e1b8eb02025fd56059c1cd10f 5619 web optional
node-set-value_0.4.0.orig.tar.gz
801b65977507fe45370098a75d4324f7 2796 web optional
node-set-value_0.4.0-1+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl2UKw8ACgkQ9tdMp8mZ
7un86Q/6AovThGKnOujpba5AEvT4qd3Wy4OcC/fXcerWW4uswE3tbe/BZyArh6Zn
G8eSHpqmRQod5R0QrmEX/VljqD8tUQULtCWs1bPISb5vd+sSq1gJ6Jy4JNcokgpa
9+1RV7nmavUq+sEzyy6PzVCWfSHhCGoix5UOpeSNG4aZclM4GTPDiE4GZTUp9D9q
xYSzz8am9y2Rpq1ykulnyxUnJ++30EhxntmGMKau0YP5zFAT9KzbWdWfd1RXvLgW
xDdFmWEKAKn2aH9B449ygnIEhPKbF75YNUYjDd92jfml3Jig+Lgk2JtPJ8O4FmyY
rgO9yQ3P7onsE36V8gkNKddFNdf6b9unMZwB+9c2G5EYsp/7lhuQcRQJ1TOY4sPX
C6/Mz55/omVqTjXv7XrnDlRnNjzp5alO02Vc7FqWhUuLXpgRyvbqp9V5rpHjmOI/
7JGL2wCFK1Unao+97NXv+H/+xyrRyZ3ZPwO6oN8qnX/tck2aQHqzD0/KkXWgBZxH
RPgYOeanf4CNRVLHtrLTqCNVgvCO2Qad1f8HdHsvCspD6PsffZOuprp/bLa7fTYC
aHbNGdEcn/O5S1gzRN/q3JJVvZysHxAZqiIcU6fmhy+wD/sjbbVipqRysAPvXTyQ
AhnkldhGf16l1nhM5BXeZC/PCHq04uxiKm+qtze7eVpw6jkO9p0=
=5WVs
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
