Your message dated Mon, 30 Mar 2020 15:34:40 +0000
with message-id <e1jiwqy-000cv6...@fasolo.debian.org>
and subject line Bug#952912: fixed in node-yarnpkg 1.22.4-1
has caused the Debian Bug report #952912,
regarding node-yarnpkg: CVE-2020-8131
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
952912: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952912
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-yarnpkg
Version: 1.21.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/yarnpkg/yarn/pull/7831
Hi,
The following vulnerability was published for node-yarnpkg.
CVE-2020-8131[0]:
| Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows
| attackers to write to any path on the filesystem and potentially lead
| to arbitrary code execution by forcing the user to install a malicious
| package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-8131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8131
[1] https://github.com/yarnpkg/yarn/pull/7831
[2] https://hackerone.com/reports/730239
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-yarnpkg
Source-Version: 1.22.4-1
Done: Xavier Guimard <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-yarnpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 952...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <y...@debian.org> (supplier of updated node-yarnpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Mar 2020 14:59:58 +0200
Source: node-yarnpkg
Architecture: source
Version: 1.22.4-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Xavier Guimard <y...@debian.org>
Closes: 952912
Changes:
node-yarnpkg (1.22.4-1) experimental; urgency=medium
.
* Team upload
* New upstream version 1.22.4 (Closes: #952912, CVE-2020-8131)
* Refresh patches
* Embed component: mkdirp-classic
* New upstream version 1.22.4
* Use pkg-js-tools auto install
Checksums-Sha1:
8c81ada274427916bf1fcd74c83ee5629cda9b81 7532 node-yarnpkg_1.22.4-1.dsc
11c71ed10d1d0f9939e8979838a874ddca8bc7c1 6144
node-yarnpkg_1.22.4.orig-babel-plugin-transform-inline-imports-commonjs.tar.xz
7712b235675728cea919bbbde0824a8bd435c943 2652
node-yarnpkg_1.22.4.orig-decode-uri-component.tar.xz
c529045fc5caf09b1100a1f038029cf4a756a049 7888
node-yarnpkg_1.22.4.orig-dnscache.tar.xz
c10340a34c679ce49ea0c7b385da9abd3898d471 2432
node-yarnpkg_1.22.4.orig-gunzip-maybe.tar.xz
5f093af578fe3b9f6fc023627e0175da81f1bdcf 14796
node-yarnpkg_1.22.4.orig-hash-for-dep.tar.xz
817d7cbc576219a7d4a562af0eb234dcec5bed0e 1756
node-yarnpkg_1.22.4.orig-is-deflate.tar.xz
2448fd83f1a7976da1812183fe3220209f1d147e 1440
node-yarnpkg_1.22.4.orig-is-gzip.tar.xz
d408cdfcd8bebd159b54dfc5dd624b45c3921edd 2100
node-yarnpkg_1.22.4.orig-mkdirp-classic.tar.xz
cc97127a987777454ff1110377a2d5868d2a670b 4780
node-yarnpkg_1.22.4.orig-normalize-url.tar.xz
bdb2cba5598ab9131a9332419e32f5db312661ed 4604
node-yarnpkg_1.22.4.orig-npm-logical-tree.tar.xz
8e773d6eecb31fe4289cecb49a99ad6d1502e671 2936
node-yarnpkg_1.22.4.orig-peek-stream.tar.xz
aa5d4c8142b2e35e71a7811fb19f2cdcb9482a76 6780
node-yarnpkg_1.22.4.orig-query-string.tar.xz
9c5960c6db67651c6535588f824f8b3536093472 27956
node-yarnpkg_1.22.4.orig-resolve-package-path.tar.xz
1e6bcdff9a390a2e1a4f83a6b3d43d1aa7b22295 3212
node-yarnpkg_1.22.4.orig-string-replace-loader.tar.xz
0ec4f687074394d47bf413aa360e1648ff64f275 6864
node-yarnpkg_1.22.4.orig-tar-fs.tar.xz
65ea1b804539befe17a2f85077a42e236630d93e 5516
node-yarnpkg_1.22.4.orig-v8-compile-cache.tar.xz
134309c0d7983960235aabde2eea73057a859d5d 72867124
node-yarnpkg_1.22.4.orig.tar.xz
739251e16b93a50b42eaa6ac702eec7758acce62 10264
node-yarnpkg_1.22.4-1.debian.tar.xz
Checksums-Sha256:
dcb0063e8b4296cc083ea9b18485ca191752a62d67557f7dcd5fd0b8e65bf3f0 7532
node-yarnpkg_1.22.4-1.dsc
7041a9dae9b2c60e2b02bab5b6189da893d75db04aa90194b97d65f16f18d060 6144
node-yarnpkg_1.22.4.orig-babel-plugin-transform-inline-imports-commonjs.tar.xz
015643c383716504848640ba184f8edc3c094d9ebc4639822485a3de47a73d1d 2652
node-yarnpkg_1.22.4.orig-decode-uri-component.tar.xz
5f4b000d0cb1eda2cdd9fd666619d7f82fcffe025fd86fed5588eba927249ed6 7888
node-yarnpkg_1.22.4.orig-dnscache.tar.xz
6ee25ee5b8589c1c5e2f3910b1c040a87e87faa1e554d4d38f762be0dc9af2e6 2432
node-yarnpkg_1.22.4.orig-gunzip-maybe.tar.xz
d60c096591b370fd64108cdbd4e140293f6a33a7e1e104ec85c34abdf621dbb8 14796
node-yarnpkg_1.22.4.orig-hash-for-dep.tar.xz
af7278ce1156fd95c423755f531301b8dcfb3c9cd6106d8ef8cf95a288e40ab9 1756
node-yarnpkg_1.22.4.orig-is-deflate.tar.xz
0f89e368d4c84d0d03c545c9831ecae680b8b897d3d04fa9c6119d4771a44279 1440
node-yarnpkg_1.22.4.orig-is-gzip.tar.xz
7b9311c93ef7d3ee31f87bcddf1c7a51174b926d6e098c482c4e95e4e2ecc894 2100
node-yarnpkg_1.22.4.orig-mkdirp-classic.tar.xz
12dedadfcb99f791c930b694a4d56c6f72536ce944956a71ffc1c8334c557e3b 4780
node-yarnpkg_1.22.4.orig-normalize-url.tar.xz
ee429fbe483ddfcb06956e52504f2e7b776e130d46c36b3e9cd92cdbdd2fbc00 4604
node-yarnpkg_1.22.4.orig-npm-logical-tree.tar.xz
389b19a7288d57b0b3480695941b65537442b65833c33bd72237eefc57f2a1eb 2936
node-yarnpkg_1.22.4.orig-peek-stream.tar.xz
400a879c38d12e5de933089010fea2652f4196dce49e727580ec1891c2a23a7f 6780
node-yarnpkg_1.22.4.orig-query-string.tar.xz
e3f85533bf2ee186ff872e5e6f109500d8220672b661c6b7688c1f9bbab31416 27956
node-yarnpkg_1.22.4.orig-resolve-package-path.tar.xz
bdce8c4b6d9d42b77ab9bd2300802dcf6fec69f031861c8bd30c520298a84836 3212
node-yarnpkg_1.22.4.orig-string-replace-loader.tar.xz
53763d7f8cb8d3d1b016ef10d93e9b231638c71e2c64b789fc24f12aa669c671 6864
node-yarnpkg_1.22.4.orig-tar-fs.tar.xz
cdb1d1eb10f7bca6ae1b9faf9c7debccd8508fe5df9656af979747631c20bf15 5516
node-yarnpkg_1.22.4.orig-v8-compile-cache.tar.xz
cdb30593c24d9b5def9001dd03fd36a8cf6532e6dd85098da147a06c5493b42a 72867124
node-yarnpkg_1.22.4.orig.tar.xz
0ee4e5b4bc62ccad879c3811c8e609fe4642ac9decfa0a2c6f8c8f091dbce9c3 10264
node-yarnpkg_1.22.4-1.debian.tar.xz
Files:
38507cdb671fc9512d6d90528dbe48e5 7532 javascript optional
node-yarnpkg_1.22.4-1.dsc
607a8d463efeea44e8fb00e2ec630165 6144 javascript optional
node-yarnpkg_1.22.4.orig-babel-plugin-transform-inline-imports-commonjs.tar.xz
9172323ccc7b57b396d33334d54cd581 2652 javascript optional
node-yarnpkg_1.22.4.orig-decode-uri-component.tar.xz
67e44d62aba6777d7ca992306d0212c5 7888 javascript optional
node-yarnpkg_1.22.4.orig-dnscache.tar.xz
e80e067fca9561d3dd1e4619057a2efb 2432 javascript optional
node-yarnpkg_1.22.4.orig-gunzip-maybe.tar.xz
1024edd6670707f28debf83618ad7579 14796 javascript optional
node-yarnpkg_1.22.4.orig-hash-for-dep.tar.xz
335de9abd6f2d55c46ec506268b3efb4 1756 javascript optional
node-yarnpkg_1.22.4.orig-is-deflate.tar.xz
4458e01129ad6804abafb33732ef9f9d 1440 javascript optional
node-yarnpkg_1.22.4.orig-is-gzip.tar.xz
cb146c2eecdfac6f6aceecb623be3c44 2100 javascript optional
node-yarnpkg_1.22.4.orig-mkdirp-classic.tar.xz
b1b2ddc9685dac8cc21775c1849cb90d 4780 javascript optional
node-yarnpkg_1.22.4.orig-normalize-url.tar.xz
b7408d4534aaf0fcea3b95c1d50edd2e 4604 javascript optional
node-yarnpkg_1.22.4.orig-npm-logical-tree.tar.xz
4f92769a4712a3a9b8ca0a75afc4a418 2936 javascript optional
node-yarnpkg_1.22.4.orig-peek-stream.tar.xz
2e8f7fefe1af4bda01497361e2035b51 6780 javascript optional
node-yarnpkg_1.22.4.orig-query-string.tar.xz
b580caab6d1e40eee112be43d4ecf3be 27956 javascript optional
node-yarnpkg_1.22.4.orig-resolve-package-path.tar.xz
816791e0fd18938c64122052ccc371f0 3212 javascript optional
node-yarnpkg_1.22.4.orig-string-replace-loader.tar.xz
0b31765bed7d02b355e0c43de39e56ac 6864 javascript optional
node-yarnpkg_1.22.4.orig-tar-fs.tar.xz
926e9d7253f3e8dd997c543257f46493 5516 javascript optional
node-yarnpkg_1.22.4.orig-v8-compile-cache.tar.xz
8b6e01133122772d589a81bf716e5b1d 72867124 javascript optional
node-yarnpkg_1.22.4.orig.tar.xz
8c3b68cdec95537c552242310b5b4823 10264 javascript optional
node-yarnpkg_1.22.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl6B7yIACgkQ9tdMp8mZ
7umqvQ/9EXu4F1PXh2FldiJG4Sa+PzYt+zg94BPxtOF6xzMopQYqKUjrwmC0C47U
/Vh9qNqoJJlMKU/3kXcwpl4B+dzGQJ2cei02TLypyqP0IAt9YE0llyq1mSQpfWLs
z5/4tKR6nBqcHGsztn4mMN2/8zG6qwWyreqB70+atyGRFsJmrJnCwi+D/UGO814k
zF7pnb43picKYz+NOOewy6PlF1DT3Yr+ZL25f6sGKJMalzawRepA0B4tcJ2hKHpE
vlhAb7+2HSB8rlaB1I9QVHdOj/EUBb/lMA4f1PGhCQUuNqd8bQnL8eIvAqiKYkEZ
BMD49clwBDPYGFhucyv9FQATDexLmG8JO1hnKHWDnC6Nu9dZ+Zd9fCoerS3O2m1C
Gf3qZaeXInfz2A4RMH8bPhRrp0P0NCH8pd240nJiipPHT/d1SxYUpteJup5dNB3B
qxO6a2ttQSRJyHnzGuU1a/BFxD+h2p8f5DKOpWREWW2Vo7MT8jRefeM1scaTqsO1
odWBHOKHKmmMjOh28JZKq5cdom1xe0m8BdRTexS40Hj1csTUkgMSattAfLL8fUJK
sou5R3pLoXIaoshUUF/Oj1/Ot6UJAXWrAnnfPTTM734EPQUf9g3GCV8EDHQL15aO
XM4R3VhnRhmnWzMzFTYKdzqs9NnwW0blK6LHtZmcxHKEXTltItc=
=0aFX
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
