Your message dated Thu, 16 Sep 2021 16:30:00 +0000
with message-id <[email protected]>
and subject line Bug#994448: fixed in node-set-value 4.1.0-1
has caused the Debian Bug report #994448,
regarding node-set-value: CVE-2021-23440 - type confusion allows bypass of
CVE-2019-10747
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
994448: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994448
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: node-set-value
X-Debbugs-CC: [email protected]
Severity: important
Tags: security, upstream
Hi,
The following vulnerability was published for node-set-value.
CVE-2021-23440[0]:
| This affects the package set-value before 4.0.1. A type confusion
| vulnerability can lead to a bypass of CVE-2019-10747 when the user-
| provided keys used in the path parameter are arrays.
CVE-2019-10747 was reported as Debian bug 941189. [1]
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23440
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23440
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941189
Please adjust the affected versions in the BTS as needed.
--
Neil Williams
=============
https://linux.codehelp.co.uk/
pgpWuZ4YcUwJc.pgp
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: node-set-value
Source-Version: 4.1.0-1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-set-value, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-set-value package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 16 Sep 2021 17:42:52 +0200
Source: node-set-value
Architecture: source
Version: 4.1.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 994448
Changes:
node-set-value (4.1.0-1) experimental; urgency=medium
.
* Team upload
* Fix GitHub tags regex
* Declare compliance with policy 4.6.0
* New upstream version 4.1.0 (Closes: #994448)
* Drop embedded test modules
* Update test
* Update dependencies:
+ add node-is-primitive
+ drop node-extend-shallow, node-to-object-path, nodejs
Checksums-Sha1:
496a4825afff006c5149e97e346ec3d15f38714e 2167 node-set-value_4.1.0-1.dsc
3487d7358615c68d16d4bf972fd3e9dd1d9d00b2 17815 node-set-value_4.1.0.orig.tar.gz
e34900ac2a9c253b07ed66c4c79113be2127c6e3 3280
node-set-value_4.1.0-1.debian.tar.xz
Checksums-Sha256:
2446cc2130d71613a3bd9a3efc8c8088714c0eda65df2c403c3dd064867d17cf 2167
node-set-value_4.1.0-1.dsc
058bad40364680412ed0132609d8fddcee2d05acf4cbfac9a483931c2c2792f4 17815
node-set-value_4.1.0.orig.tar.gz
e532d084f2768eb3cb633059cda62a5bb9810b4aa65a16065ede98793c440437 3280
node-set-value_4.1.0-1.debian.tar.xz
Files:
5184acd8657e89e158fff00f6afa649f 2167 javascript optional
node-set-value_4.1.0-1.dsc
7574e0da30026d894202f9789dc8c5fa 17815 javascript optional
node-set-value_4.1.0.orig.tar.gz
d50c01cc05ccdd78cc46eb0002433f1f 3280 javascript optional
node-set-value_4.1.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmFDZsIACgkQ9tdMp8mZ
7ukr/w/9EQZQghg3gaoOz0zzexRSpeXZctzzX7XnFcMyIle3T+Z+BhlhkgKmuc85
anA5xYN53a6me6UK0gYeWQYERdCPPj/qtYAHGBk+1qofQVuNg9zxZnwZmi0TqH6S
Z2G002PY7PXhwIjzMRznkm6KPmsXqwc+4WrFADvuYPo9fXH/MhyfcfblFtOAmsh+
zMdfHg8HIM0y+y2CMVUBBhp6XWHW0ImZs9RN+VPpFx0QzUbI2WntSbfWPIbf33wK
o+EuoPMTbvnJ66fZE3MdnQgyFQrHeN4wCZLyh5UQZUjkRbpkBoUKQZSdDKNvLlsj
rJEfA8a8BNt93/zdXjmdxNyRieTx8mEJlIEaNg+28k80324wOIkCmFvhC1TkUU3L
TlhyuKU+xoEdDx1b7Es5dx4zX/FjN+fBcilAjuGvN7m0NYgkdT4gnnRK2vPlG9Xq
SM1rOayfd2WpfekKYcZv31PHZvRCh/oQJFAVcNx0Vri5C8gXF0FOl+9j7Zz4k65T
KXb0AVJsn5aS+nBC0+6Tl1D3AAunAAMAevjaL/OK+AZWSpuDVx2CGo8cHnYKEZL5
gfRdboq6HgJOL9ZijI8ezxTXV2CT05zKzzFlFeRO7FVtRelDXI4uMyrHuM2wpbyT
YWNIkT130SUAsQMiW/tkuL4OsF9S9C9xf9eI8kUGHrNhR/gY6Jw=
=ieeR
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
