Your message dated Fri, 13 Mar 2020 06:26:00 +0000
with message-id <[email protected]>
and subject line Bug#953762: fixed in node-minimist 1.2.5-1
has caused the Debian Bug report #953762,
regarding node-minimist: CVE-2020-7598
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
953762: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953762
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-minimist
Version: 1.2.0-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for node-minimist.
CVE-2020-7598[0]:
| minimist before 1.2.2 could be tricked into adding or modifying
| properties of Object.prototype using a "constructor" or "__proto__"
| payload.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598
[1] https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
[2]
https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-minimist
Source-Version: 1.2.5-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-minimist, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-minimist package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 13 Mar 2020 06:24:15 +0100
Source: node-minimist
Architecture: source
Version: 1.2.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 953762
Changes:
node-minimist (1.2.5-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.5.0
* Bump debhelper compatibility level to 12
* Update VCS fields to salsa
* Use pkg-js-tools auto install
* Add "Rules-Requires-Root: no"
* Change section to javascript
* New upstream version 1.2.5 (Closes: #953762, CVE-2020-7598)
* Enable upstream test using tap
Checksums-Sha1:
cc120339856d924f49daedd670c474848f767239 2071 node-minimist_1.2.5-1.dsc
24c355687da90ae0b8e65ee38334f714a133c251 8370 node-minimist_1.2.5.orig.tar.gz
da00d1eb23d65042d22ef23ca341b29c950902f1 3112
node-minimist_1.2.5-1.debian.tar.xz
Checksums-Sha256:
d542734ea8ef01c2c97cf42a2d04b1b56c5a4e212816bfc7120c57e06ab5841f 2071
node-minimist_1.2.5-1.dsc
d0e848eb0b5dbd104474578c8603182f82baab37105a49404c44bfd6a890c02a 8370
node-minimist_1.2.5.orig.tar.gz
59f9034ec88c020b0afbd590b707c36cd6743d49417f246c293b12854453c4e5 3112
node-minimist_1.2.5-1.debian.tar.xz
Files:
53990e1c7ad75b51bac19f819f0decc4 2071 javascript optional
node-minimist_1.2.5-1.dsc
a29c5f4091783c67bef994425c53858d 8370 javascript optional
node-minimist_1.2.5.orig.tar.gz
4188187f53ce94a01f82f4e139e236fd 3112 javascript optional
node-minimist_1.2.5-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl5rGVMACgkQ9tdMp8mZ
7ulyNg/+O9i63cxjzIHarySrKSMIlkEDSubPv1hrn37jDxf3Fu+wJVFv/16H8/xA
nZYX5dbn1vSYw1dykHrYeDIi0WLcXmFYQMtagXCQYTz30TMn34kYVrE+8uR3Xl6q
3QutRSBn/jkEgyCitf9pr/RBVqdYjDIkZ891bC25qmr/CnATwx6SflpbIn0RyumO
Ht+MeiCtRWSlURRq/JeVjvKkH0mMfBBkBCYBqPwwkJW7xUfbe5M84ufE6p1auUp5
o8zHhNWhFDF5MCriz0KzoweuR50lwl1TDOhtvMKNlVE1mTazP0T3LkGyW95COK4G
Re1h/s7rQltOF4ewItv9Dir6QRmBYDFgpZHoicNjUzqbOetbfMJ0IkrmV2B41yEK
KKhdzwSn6BgTPaRbJT5eja8vTAUCSxUK9I2Ev1KU8JCUIkUWktg5iLfdx/Y5NNjH
BvyDLOMOu9e1RHN99wwgoq3hcw0YH6p9UC2HVF6S3KBeRVlD3xfqKu6p/iGLCcAM
y4G7I15NaXA7+i/qdvUJ1O6D4OzpVqCs2yShXJrMqKlEkHHao4Qj/VYCtOGE2VRR
J79BJbm1y2YkCfLbVPcV7Vk1VmEL9ZVw15Xt7RwgwocGQQu55FtKcbib2W6Srr7A
5G4hoNGEhhHcoRsWdg1QVWfuByr5KbZ1Waf32EaEIhB2fXj9YhU=
=Dbzs
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
