Your message dated Thu, 16 Sep 2021 16:53:18 +0000
with message-id <[email protected]>
and subject line Bug#994448: fixed in node-set-value 3.0.1-3
has caused the Debian Bug report #994448,
regarding node-set-value: CVE-2021-23440 - type confusion allows bypass of
CVE-2019-10747
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
994448: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994448
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: node-set-value
X-Debbugs-CC: [email protected]
Severity: important
Tags: security, upstream
Hi,
The following vulnerability was published for node-set-value.
CVE-2021-23440[0]:
| This affects the package set-value before 4.0.1. A type confusion
| vulnerability can lead to a bypass of CVE-2019-10747 when the user-
| provided keys used in the path parameter are arrays.
CVE-2019-10747 was reported as Debian bug 941189. [1]
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23440
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23440
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941189
Please adjust the affected versions in the BTS as needed.
--
Neil Williams
=============
https://linux.codehelp.co.uk/
pgpGYA2pRC_KP.pgp
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: node-set-value
Source-Version: 3.0.1-3
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-set-value, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-set-value package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 16 Sep 2021 18:11:33 +0200
Source: node-set-value
Architecture: source
Version: 3.0.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 994448
Changes:
node-set-value (3.0.1-3) unstable; urgency=medium
.
* Team upload
* Bump debhelper compatibility level to 13
* Declare compliance with policy 4.6.0
* Modernize debian/watch
* Fix GitHub tags regex
* Use dh-sequence-nodejs
* Fix prototype pollution (Closes: #994448, CVE-2021-23440)
* Add test for CVE-2021-23440
Checksums-Sha1:
95fd4c8a3466577a51a56812df2ec3b79626bf0f 2307 node-set-value_3.0.1-3.dsc
e05d39a049010969ba4ca28ec4b9ba56ae0207a3 23088
node-set-value_3.0.1-3.debian.tar.xz
Checksums-Sha256:
96ef493532dd229f18df33843406c0252a9550b4ca8303d63e452ec0fafa2e20 2307
node-set-value_3.0.1-3.dsc
69644e2ff3cbad0932f4eef311cd85b198cb33a4aa541053cfecba10788652bf 23088
node-set-value_3.0.1-3.debian.tar.xz
Files:
779cd04d5fadedf854243813fec57d93 2307 javascript optional
node-set-value_3.0.1-3.dsc
9a283832786140d4c83e78250ae93fef 23088 javascript optional
node-set-value_3.0.1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmFDbPcACgkQ9tdMp8mZ
7unvaxAAlqTAytg3Mvszw/Pfo2Sk/SjnR9vwtzCIdgtk6p2UJaPQy82atfRVyCz2
yKZmZF8l+oTpO/gqWjUq8G99BusbWNgYq5D0Ped8ZBFJ048o0SFUsZy7/5tYu726
5GJFWZypWf/WJZTfKe3sV7D0FJFVyE8/W9KtqoBkq3MnSDB3kQi0Y8eDULxna99s
8U0pimA7rsB9riNwiiXoY0GlltByLXgdhmRHkfI8Jsr4popUvidWbLrtfRSAbyfg
G0TGo1KBwH/Cxxak8OyLpppG+ekY+KInFXbixsVkaDf41paxWtPhR4MKgwX09rYt
mChSOZ4VrtuG4PRx3Yv+sTDANspvxzSPJoSqte2NhP7YlPrYeRda7S6CJcsa9kXW
Fk1/ywrdyFn3/zst+1MRx66MjQgj8SaVPA7qM4kaOLxDfsCbfqoHQhwegAbLqYKy
wiDe46j1T7+zEY6+hkLwNgrxw03BeCED5BfVea9d+QYesGvqDUpylWLrAkHwa7G0
scEncdXoh3nLW4w/VZvjjssm3Qk0VS5RlEK16hNPU5ygS57BJjze1VvAd/e8axrk
/lX/nNd7BasEhvU082o3ozc5Pn52ozWakrgFBngukm8rw+nZbJOmAftIPrPToxuU
edbXqKynsY56OdxqT8vNDVixOc3VkGu9/4Hz57/7lZEbW5Y7dJE=
=CAlb
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
