Your message dated Wed, 11 Mar 2020 05:20:11 +0000 with message-id <e1jbtmt-000cjw...@fasolo.debian.org> and subject line Bug#953587: fixed in dojo 1.15.3+dfsg1-1 has caused the Debian Bug report #953587, regarding dojo: CVE-2020-5259 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 953587: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953587 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: dojo Version: 1.15.2+dfsg1-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for dojo. CVE-2020-5259[0]: | In affected versions of dojox (NPM package), the jqMix method is | vulnerable to Prototype Pollution. Prototype Pollution refers to the | ability to inject properties into existing JavaScript language | construct prototypes, such as objects. An attacker manipulates these | attributes to overwrite, or pollute, a JavaScript application object | prototype of the base object by injecting other values. This has been | patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-5259 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5259 [1] https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw [2] https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: dojo Source-Version: 1.15.3+dfsg1-1 Done: Xavier Guimard <y...@debian.org> We believe that the bug you reported is fixed in the latest version of dojo, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 953...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <y...@debian.org> (supplier of updated dojo package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 11 Mar 2020 05:49:24 +0100 Source: dojo Architecture: source Version: 1.15.3+dfsg1-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Xavier Guimard <y...@debian.org> Closes: 953585 953587 Changes: dojo (1.15.3+dfsg1-1) unstable; urgency=medium . * Team upload * New upstream version 1.15.3+dfsg1 (Closes: #953585, #953587, CVE-2020-5258, CVE-2020-5259) Checksums-Sha1: e07e7994bb3d4cf69154543e2352b176610ba25b 2385 dojo_1.15.3+dfsg1-1.dsc 5af97eb549b98da7a92ef97a71c74037d777c418 30312668 dojo_1.15.3+dfsg1.orig.tar.xz 376662073908c872d2442199ff6c2a910c68d562 15292 dojo_1.15.3+dfsg1-1.debian.tar.xz Checksums-Sha256: 822616138875e4305a0f286be4cd4ab76b9b7b7a9f68f5b1f9f5856adc727515 2385 dojo_1.15.3+dfsg1-1.dsc 4075c28dc6990f759503f3f5e566e9eb5e5e537c135c781727e589362c7697b1 30312668 dojo_1.15.3+dfsg1.orig.tar.xz a57a00bed3a52c25a6d26a39ef70a477ff3971961ad3a5351147e401cdac1905 15292 dojo_1.15.3+dfsg1-1.debian.tar.xz Files: 386abd93724889b7ea7c41c3041d607f 2385 javascript optional dojo_1.15.3+dfsg1-1.dsc 72b350eae67bf76635c0417ec7134b7c 30312668 javascript optional dojo_1.15.3+dfsg1.orig.tar.xz 1acd05b5fe42b54c0d19ef76033fd7b7 15292 javascript optional dojo_1.15.3+dfsg1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl5ocHgACgkQ9tdMp8mZ 7uk3VQ/+NTkekaAZsFEG1soOK+AjuorN8f85ZDu5mJwfAwWW0HNTcPYUBjudLoUn cCoEaYUHbtsp40tVaTjKEtPJyCmrC0RGMjYOA57L3akL+lGV+3z2Y36qVzNnbDtr em5fWd9mNOPCdpfkYRpDbp5BBZ3re1IL9d6/GMtA7CroWuqviq+E3gHXmLb/kNJI yQW87MU8ePN+wFCFQE5Yavr+qIAaBZvXUtZpuhvG0K8gwyqhmfkBeKz4kJR0WfFJ /B7SN9VkYHkIuexjW6bCJEUA6wAMdGSiZNOBCFZbd5E6jmWmhoM535yV2jlXgyTH UZDI9yOzXfz12qqPStzPCPYWY+Yj9+1KEKdRhUEizOaGrSkryM3A2iuj+GMh5wXj 9vzqYZZyQYXXq7T2JykR7FtzjpmRBQS/0b8/ShFDjJdp3ltoMA7CaVaxOkwlB9N4 dItAb5sOZJRu7Rcoesxh2V6YAq+TGq+048cW0BxwPt0Y5Jtw5hdvtQMkvAbmCnqP 1IY/jNo+llXM0g9E2oL/dVg8ycKYzCJfvh70SI6dG28ZMEWnu8C8zERmRWBDtXF7 K1pqA2h6CMsoJ14GIhzWCJaJs1S0bTE7/7aqv2/smt/+KJegrEntFnMcGD0QrawL rpwE0a89kusz9VpE0WU1QE+XY6Lp/tVU15xMN0d4jVMn5ZZl7lU= =ggXT -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
