[Pkg-javascript-devel] Bug#948095: marked as done (node-kind-of: CVE-2019-20149)

Thu, 16 Jan 2020 22:21:16 -0800 

Your message dated Fri, 17 Jan 2020 07:12:05 +0100
with message-id <[email protected]>
and subject line Fixed via 6.0.3+dfsg-1
has caused the Debian Bug report #948095,
regarding node-kind-of: CVE-2019-20149
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
948095: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948095
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: node-kind-of
Version: 6.0.2+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/jonschlinkert/kind-of/issues/30

Hi,

The following vulnerability was published for node-kind-of.

CVE-2019-20149[0]:
| ctorName in index.js in kind-of v6.0.2 allows external user input to
| overwrite certain internal attributes via a conflicting name, as
| demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted
| payload can overwrite this builtin attribute to manipulate the type
| detection result.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-20149
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20149
[1] https://github.com/jonschlinkert/kind-of/issues/30
[2] https://github.com/jonschlinkert/kind-of/pull/31

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Fixed via 6.0.3+dfsg-1

--- End Message ---
-- 
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to