Your message dated Mon, 05 Apr 2021 13:32:33 +0000
with message-id <[email protected]>
and subject line Bug#986171: fixed in underscore 1.9.1~dfsg-1+deb10u1
has caused the Debian Bug report #986171,
regarding underscore: CVE-2021-23358
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
986171: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986171
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: underscore
Version: 1.9.1~dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>,[email protected]
Hi,
The following vulnerability was published for underscore.
CVE-2021-23358[0]:
| The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2
| and before 1.12.1 are vulnerable to Arbitrary Code Execution via the
| template function, particularly when a variable property is passed as
| an argument as it is not sanitized.
[1] provides a POC to verify the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
[1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: underscore
Source-Version: 1.9.1~dfsg-1+deb10u1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
underscore, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated underscore package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 30 Mar 2021 22:54:09 +0200
Source: underscore
Binary: libjs-underscore node-underscore
Architecture: source all
Version: 1.9.1~dfsg-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Description:
libjs-underscore - JavaScript's functional programming helper library
node-underscore - JavaScript's functional programming helper library - NodeJS
Closes: 986171
Changes:
underscore (1.9.1~dfsg-1+deb10u1) buster-security; urgency=high
.
* Team upload
* Fix arbitrary code execution (Closes: #986171)
Checksums-Sha1:
14c53f6b548c8eed71a8c7b2767a93680feba49a 2152
underscore_1.9.1~dfsg-1+deb10u1.dsc
49afe4a08ef6de8faee938c153ec68b436a49bda 138080
underscore_1.9.1~dfsg.orig.tar.xz
9346893b3388aea67b5d8089a2e5f9b93b979e66 9076
underscore_1.9.1~dfsg-1+deb10u1.debian.tar.xz
2fd0a642957d214ba1aacba7c273805c0508e654 99968
libjs-underscore_1.9.1~dfsg-1+deb10u1_all.deb
3bda2ec92f31ef2c78197db58953834112ff9e33 7676
node-underscore_1.9.1~dfsg-1+deb10u1_all.deb
ddb4fe3baea4c7974209793b0627407b85f3f439 6562
underscore_1.9.1~dfsg-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
d679f4ff436f310d3930c024179ae49def4a367a7d83616aee5dec57b68914e8 2152
underscore_1.9.1~dfsg-1+deb10u1.dsc
26832038e5282c0bde14d5cbe511a42053b5f440e1670f99ba67224a4fd45702 138080
underscore_1.9.1~dfsg.orig.tar.xz
7b16380d4b23af32743a9870279eb43d90ef26837b581bd97f3038a16ffdc410 9076
underscore_1.9.1~dfsg-1+deb10u1.debian.tar.xz
8e7868ddef6d344c915914551a1b0a4edf7b47371eddb1f4ce01ed308e27d864 99968
libjs-underscore_1.9.1~dfsg-1+deb10u1_all.deb
eb05cf4f104cb4df35e14816dfab0818978653562e54e4d1c33dbef22c97dd65 7676
node-underscore_1.9.1~dfsg-1+deb10u1_all.deb
2ed6d8e7e193984633b3460eed2427485568fdd0cd21c85f0a8a20882f48aee4 6562
underscore_1.9.1~dfsg-1+deb10u1_amd64.buildinfo
Files:
45721395b5abb8a2bd66ecaa733a43e7 2152 web optional
underscore_1.9.1~dfsg-1+deb10u1.dsc
b16d89fde3b10643b57c331653f8d2b3 138080 web optional
underscore_1.9.1~dfsg.orig.tar.xz
17ac85447191a9d1c562740834853edd 9076 web optional
underscore_1.9.1~dfsg-1+deb10u1.debian.tar.xz
36c739b0f88393890ece3419dc0e2a7d 99968 web optional
libjs-underscore_1.9.1~dfsg-1+deb10u1_all.deb
57b6d7856ae1ba87646fea8068b22c65 7676 web optional
node-underscore_1.9.1~dfsg-1+deb10u1_all.deb
d2f18887b5d4a6ec6a73a8099b97b5ae 6562 web optional
underscore_1.9.1~dfsg-1+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmBkylEACgkQ9tdMp8mZ
7unzmg//X8tnuTNUJzYOuK2Xr803IhIyL5KCAcd+Sy7gD/qHZFtvgrO4LmUZOjCE
W35Oy9EzicKB3DCBK3Yd9epojjBK4vtgUA6vaEb+905LY5SeHIZwP6+qlVYT+IfF
cv7YdiJY39O5eQH7Js+PveWogFQ6eiSEn7L9bfRZAG8/tj3d4wunhNgrbqfy4FBC
tXgixgAfL1qboWRDz9fAU3yrJLppkMyDC5KxOD8TGHdrlBoKKFbBDqiJkzH8G3sW
+WudFxMrq6vT3ImzH1vXBMI6/u02vAZ0nM1bk8PZU9M6HSb2+P8ejLovENCCmb5r
nREhAMhnKZqX7DuptBk1deN4V5LAdG9E34kRQrO208pHNTlShHWwVAl4pS9LNtEm
LpJ8pWr+86sxze8ZNG9s8nFBYEjtptp5wTOcBIWaJ+hSrJvLqyyyqB3oJSqRP+wZ
35W1InVQ4fpih3m4K4sJIXOsimztkG7rf1Ek/c55juKMn74N+Hwk85PU+gXDGYYw
Ns50IwJ438S6BnubeIFtLwqp3DMSDXt7lAZwMjr5qzCf+PW5pcji3/tBsS1DtJSC
L7A+VDOZwTCxjd0L++1u8NXIzNGBPnzoQu5B4HQsCYvyHp8euCcdZNfxSqFuMX9a
5z/aPAJtLJRhAboBcH4qivWa1P26vF+GhBzake1YEDv3MSy2MMo=
=N1D+
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
