[Pkg-javascript-devel] rainbow.js 2.1.4+ds-1 MIGRATED to testing
FYI: The status of the rainbow.js source package in Debian's testing distribution has changed. Previous version: 1.1.8+ds1-1 Current version: 2.1.4+ds-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-y18n 4.0.0-1 MIGRATED to testing
FYI: The status of the node-y18n source package in Debian's testing distribution has changed. Previous version: 3.2.1-2 Current version: 4.0.0-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-xmpp is marked for autoremoval from testing
node-xmpp 0.3.2-4 is marked for autoremoval from testing on 2019-08-04 It is affected by these RC bugs: 921384: node-xmpp: node-stringprep breaks node-xmpp autopkgtest -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Le 20/07/2019 à 22:23, Salvatore Bonaccorso a écrit : > Hi Xavier, > > On Sat, Jul 20, 2019 at 05:44:05PM +0200, Xavier wrote: >> Le 20/07/2019 à 06:32, Paolo Greppi a écrit : >>> Package: node-mixin-deep >>> Version: 1.1.3-3 >>> Severity: important >>> >>> Dear Maintainer, >>> >>> node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: >>> https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 >>> https://github.com/jonschlinkert/mixin-deep/issues/6 >>> >>> Please upgrade to either 1.3.2 or 2.0.1. >>> >>> Thanks, Paolo >> >> Hello, >> >> here is a proposed fix. > > Thanks for preparing a debdiff. Can you fix this via an upcoming point > release for buster? > > Regards, > Salvatore Of course, thanks for your work ! -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processed: autopkgtest failures are now RC; raising severity for *existing* bugs
Processing commands for cont...@bugs.debian.org: > # The release team has announced that autopkgtest failure is now RC > # https://lists.debian.org/debian-devel-announce/2019/07/msg2.html > severity 901779 serious Bug #901779 [src:debirf] debirf: autopkgtest fails because script is not executable Severity set to 'serious' from 'normal' > reassign 909276 qbzr 0.23.2-4 Bug #909276 [src:xorg-server, src:qbzr] xorg-server breaks qbzr autopkgtest: AssertionError: Timeout! Bug reassigned from package 'src:xorg-server, src:qbzr' to 'qbzr'. No longer marked as found in versions qbzr/0.23.2-4 and xorg-server/2:1.20.1-3. Ignoring request to alter fixed versions of bug #909276 to the same values previously set Bug #909276 [qbzr] xorg-server breaks qbzr autopkgtest: AssertionError: Timeout! Marked as found in versions qbzr/0.23.2-4. > found 909276 0.23.2-6 Bug #909276 [qbzr] xorg-server breaks qbzr autopkgtest: AssertionError: Timeout! Marked as found in versions qbzr/0.23.2-6. > severity 909276 serious Bug #909276 [qbzr] xorg-server breaks qbzr autopkgtest: AssertionError: Timeout! Severity set to 'serious' from 'normal' > # boost1.62 isn't in testing anymore anyways > reassign 914043 boost1.62 Bug #914043 [src:boost-defaults, src:boost1.62] boost-defaults breaks boost1.62 autopkgtest Bug reassigned from package 'src:boost-defaults, src:boost1.62' to 'boost1.62'. No longer marked as found in versions boost1.62/1.62.0+dfsg-10 and boost-defaults/1.67.0.1. Ignoring request to alter fixed versions of bug #914043 to the same values previously set > severity 914043 serious Bug #914043 [boost1.62] boost-defaults breaks boost1.62 autopkgtest Severity set to 'serious' from 'normal' > reassign 920545 python-intervaltree-bio 1.0.1-2 Bug #920545 [src:python-intervaltree, src:python-intervaltree-bio] python-intervaltree breaks python-intervaltree-bio autopkgtest Bug reassigned from package 'src:python-intervaltree, src:python-intervaltree-bio' to 'python-intervaltree-bio'. No longer marked as found in versions python-intervaltree/3.0.2-1 and python-intervaltree-bio/1.0.1-2. Ignoring request to alter fixed versions of bug #920545 to the same values previously set Bug #920545 [python-intervaltree-bio] python-intervaltree breaks python-intervaltree-bio autopkgtest Marked as found in versions python-intervaltree-bio/1.0.1-2. > severity 920545 serious Bug #920545 [python-intervaltree-bio] python-intervaltree breaks python-intervaltree-bio autopkgtest Severity set to 'serious' from 'important' > reassign 921384 node-xmpp 0.3.2-4 Bug #921384 [src:node-stringprep, src:node-xmpp] node-stringprep breaks node-xmpp autopkgtest Bug reassigned from package 'src:node-stringprep, src:node-xmpp' to 'node-xmpp'. No longer marked as found in versions node-stringprep/0.8.0-5 and node-xmpp/0.3.2-4. Ignoring request to alter fixed versions of bug #921384 to the same values previously set Bug #921384 [node-xmpp] node-stringprep breaks node-xmpp autopkgtest There is no source info for the package 'node-xmpp' at version '0.3.2-4' with architecture '' Unable to make a source version for version '0.3.2-4' Marked as found in versions 0.3.2-4. > severity 921384 serious Bug #921384 [node-xmpp] node-stringprep breaks node-xmpp autopkgtest Severity set to 'serious' from 'normal' > thanks Stopping processing here. Please contact me if you need assistance. -- 901779: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901779 909276: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909276 914043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914043 920545: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920545 921384: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921384 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Hi Xavier, On Sat, Jul 20, 2019 at 05:44:05PM +0200, Xavier wrote: > Le 20/07/2019 à 06:32, Paolo Greppi a écrit : > > Package: node-mixin-deep > > Version: 1.1.3-3 > > Severity: important > > > > Dear Maintainer, > > > > node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: > > https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 > > https://github.com/jonschlinkert/mixin-deep/issues/6 > > > > Please upgrade to either 1.3.2 or 2.0.1. > > > > Thanks, Paolo > > Hello, > > here is a proposed fix. Thanks for preparing a debdiff. Can you fix this via an upcoming point release for buster? Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: marked as done (vulnerability: CVE-2019-10746: prototype pollution)
Your message dated Sat, 20 Jul 2019 16:42:02 + with message-id and subject line Bug#932500: fixed in node-mixin-deep 2.0.1-1 has caused the Debian Bug report #932500, regarding vulnerability: CVE-2019-10746: prototype pollution to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 932500: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932500 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: node-mixin-deep Version: 1.1.3-3 Severity: important Dear Maintainer, node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 https://github.com/jonschlinkert/mixin-deep/issues/6 Please upgrade to either 1.3.2 or 2.0.1. Thanks, Paolo -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/12 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages node-mixin-deep depends on: ii node-for-in 1.0.2-1 ii node-is-extendable 1.0.1-1 ii nodejs 10.15.2~dfsg-2 node-mixin-deep recommends no packages. node-mixin-deep suggests no packages. -- no debconf information --- End Message --- --- Begin Message --- Source: node-mixin-deep Source-Version: 2.0.1-1 We believe that the bug you reported is fixed in the latest version of node-mixin-deep, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 932...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard (supplier of updated node-mixin-deep package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 20 Jul 2019 18:00:22 +0200 Source: node-mixin-deep Architecture: source Version: 2.0.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Xavier Guimard Closes: 932500 Changes: node-mixin-deep (2.0.1-1) unstable; urgency=medium . * Team upload * Bump debhelper compatibility level to 12 * Declare compliance with policy 4.4.0 * Add debian/gbp.conf * Move installed files to /usr/share/nodejs * New upstream version 2.0.1 (Closes: #932500, CVE-2019-10746) * Remove patches now included in upstream * Update debian/copyright Checksums-Sha1: e5ddb35672c77558ec56cdc4a86ba26d6468e557 2125 node-mixin-deep_2.0.1-1.dsc 256d3e9c2c068abf2507cd2e5216106dbf877f3c 6037 node-mixin-deep_2.0.1.orig.tar.gz 3c878629d2bcfaf16e0d6ba26a47f9086a3d2205 2520 node-mixin-deep_2.0.1-1.debian.tar.xz Checksums-Sha256: 5a2689b2f4446c9b8e0fbac82f588ae6e8ad7b52f8aa28798404ab26e0fbd2fc 2125 node-mixin-deep_2.0.1-1.dsc e6e2b1bfc46f55c7d60fa1a378bfac186e96871545e93bbf240a11dd0003001e 6037 node-mixin-deep_2.0.1.orig.tar.gz 64ae3661f207b6e694b2ac2d0a3f3197acd947d679d90f76615b862937eef4da 2520 node-mixin-deep_2.0.1-1.debian.tar.xz Files: 5b17212abf8b2ac16379b7c5fbfd1a03 2125 javascript optional node-mixin-deep_2.0.1-1.dsc d126111d535e2111aa1bfb7109078e9f 6037 javascript optional node-mixin-deep_2.0.1.orig.tar.gz 2ac84531b8a923aff15e7c16146452aa 2520 javascript optional node-mixin-deep_2.0.1-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl0zOuMACgkQ9tdMp8mZ 7uktvQ/+PKV/HZlP+aWN3AO44/NjV+byeuPq6IG0Lb24PrXjxyNpXeg1+Up4ffaj mtp0ljGLOm/D9QKBM2yjEmm8Zvaa4men/5K5qDqesxKvW1e9V+rYanxvw0bBKjJM gbvpqeSrPpZ7w8DjXevdRnsZbMqp24zChwJBy9g0Hpt7i+97MkJe43xexewSWrXv tz5kx7NPr4b6L6sbAe5Wi1J/frV0r2nWnxS8TrX9qXDTRIWQ3vCrKbMR+TH9vyJg xNZEsZmJ8IGcC3yUEhzZHCXhqrxbjEknkDtdGoDDbJoeE31Xxf7Gq17JWKWkgaV1 hPopPOlrecEhM6K2TC4C4jtgPwIJ87R2LV/HIjABabvQwo4lCSq0KfycKlWGch17 Nf74+0Mk6u2eXzWuv9H6oyPWtSGJrohzChkCC6ZUK62LHhuYueEcn7k8o/J6miIA dDldZhDpN0UP/Y1BmDotn8v3lULAz/DLVsl+nZhaRIRUyR69LF41yWac9U97SCk7 FFFCO2uw2xZQ3AjL2L8U+qeVzc+MToXg/NKK6UAaw5Se6fQuNNgcjtrTimjJOhap XVvyY8oSqGKCrE5fuV4L9MP08aQ54zWiiFqSvIVKQHke2ZChe8jm7R6DHvzdxKvp
[Pkg-javascript-devel] node-mixin-deep_2.0.1-1_sourceonly.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 20 Jul 2019 18:00:22 +0200 Source: node-mixin-deep Architecture: source Version: 2.0.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Xavier Guimard Closes: 932500 Changes: node-mixin-deep (2.0.1-1) unstable; urgency=medium . * Team upload * Bump debhelper compatibility level to 12 * Declare compliance with policy 4.4.0 * Add debian/gbp.conf * Move installed files to /usr/share/nodejs * New upstream version 2.0.1 (Closes: #932500, CVE-2019-10746) * Remove patches now included in upstream * Update debian/copyright Checksums-Sha1: e5ddb35672c77558ec56cdc4a86ba26d6468e557 2125 node-mixin-deep_2.0.1-1.dsc 256d3e9c2c068abf2507cd2e5216106dbf877f3c 6037 node-mixin-deep_2.0.1.orig.tar.gz 3c878629d2bcfaf16e0d6ba26a47f9086a3d2205 2520 node-mixin-deep_2.0.1-1.debian.tar.xz Checksums-Sha256: 5a2689b2f4446c9b8e0fbac82f588ae6e8ad7b52f8aa28798404ab26e0fbd2fc 2125 node-mixin-deep_2.0.1-1.dsc e6e2b1bfc46f55c7d60fa1a378bfac186e96871545e93bbf240a11dd0003001e 6037 node-mixin-deep_2.0.1.orig.tar.gz 64ae3661f207b6e694b2ac2d0a3f3197acd947d679d90f76615b862937eef4da 2520 node-mixin-deep_2.0.1-1.debian.tar.xz Files: 5b17212abf8b2ac16379b7c5fbfd1a03 2125 javascript optional node-mixin-deep_2.0.1-1.dsc d126111d535e2111aa1bfb7109078e9f 6037 javascript optional node-mixin-deep_2.0.1.orig.tar.gz 2ac84531b8a923aff15e7c16146452aa 2520 javascript optional node-mixin-deep_2.0.1-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl0zOuMACgkQ9tdMp8mZ 7uktvQ/+PKV/HZlP+aWN3AO44/NjV+byeuPq6IG0Lb24PrXjxyNpXeg1+Up4ffaj mtp0ljGLOm/D9QKBM2yjEmm8Zvaa4men/5K5qDqesxKvW1e9V+rYanxvw0bBKjJM gbvpqeSrPpZ7w8DjXevdRnsZbMqp24zChwJBy9g0Hpt7i+97MkJe43xexewSWrXv tz5kx7NPr4b6L6sbAe5Wi1J/frV0r2nWnxS8TrX9qXDTRIWQ3vCrKbMR+TH9vyJg xNZEsZmJ8IGcC3yUEhzZHCXhqrxbjEknkDtdGoDDbJoeE31Xxf7Gq17JWKWkgaV1 hPopPOlrecEhM6K2TC4C4jtgPwIJ87R2LV/HIjABabvQwo4lCSq0KfycKlWGch17 Nf74+0Mk6u2eXzWuv9H6oyPWtSGJrohzChkCC6ZUK62LHhuYueEcn7k8o/J6miIA dDldZhDpN0UP/Y1BmDotn8v3lULAz/DLVsl+nZhaRIRUyR69LF41yWac9U97SCk7 FFFCO2uw2xZQ3AjL2L8U+qeVzc+MToXg/NKK6UAaw5Se6fQuNNgcjtrTimjJOhap XVvyY8oSqGKCrE5fuV4L9MP08aQ54zWiiFqSvIVKQHke2ZChe8jm7R6DHvzdxKvp tP49ld0OGmIGaoGaY3TF1YjGgVQ3Ex76kfnb4A274NWa4njSIIs= =tAXJ -END PGP SIGNATURE- Thank you for your contribution to Debian. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-mixin-deep_2.0.1-1_sourceonly.changes
node-mixin-deep_2.0.1-1_sourceonly.changes uploaded successfully to localhost along with the files: node-mixin-deep_2.0.1-1.dsc node-mixin-deep_2.0.1.orig.tar.gz node-mixin-deep_2.0.1-1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processed: Bug#932500 marked as pending in node-mixin-deep
Processing control commands: > tag -1 pending Bug #932500 [node-mixin-deep] vulnerability: CVE-2019-10746: prototype pollution Ignoring request to alter tags of bug #932500 to the same tags previously set -- 932500: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932500 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processed: Bug#932500 marked as pending in node-mixin-deep
Processing control commands: > tag -1 pending Bug #932500 [node-mixin-deep] vulnerability: CVE-2019-10746: prototype pollution Ignoring request to alter tags of bug #932500 to the same tags previously set -- 932500: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932500 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processed: tagging 932500
Processing commands for cont...@bugs.debian.org: > tags 932500 + pending confirmed upstream Bug #932500 [node-mixin-deep] vulnerability: CVE-2019-10746: prototype pollution Added tag(s) confirmed, upstream, and pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 932500: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932500 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Le 20/07/2019 à 06:32, Paolo Greppi a écrit :
> Package: node-mixin-deep
> Version: 1.1.3-3
> Severity: important
>
> Dear Maintainer,
>
> node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability:
> https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
> https://github.com/jonschlinkert/mixin-deep/issues/6
>
> Please upgrade to either 1.3.2 or 2.0.1.
>
> Thanks, Paolo
Hello,
here is a proposed fix.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 17cb287..74f9154 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-mixin-deep (1.1.3-3+deb10u1) buster-security; urgency=medium
+
+ * Fix prototype pollution (Closes: #932500, CVE-2019-10746)
+
+ -- Xavier Guimard Sat, 20 Jul 2019 17:41:17 +0200
+
node-mixin-deep (1.1.3-3) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2019-10746.diff
b/debian/patches/CVE-2019-10746.diff
new file mode 100644
index 000..cc4b58a
--- /dev/null
+++ b/debian/patches/CVE-2019-10746.diff
@@ -0,0 +1,41 @@
+Description: Fix for CVE-2019-10746 (prototype pollution)
+Author: Jon Schlinkert (https://github.com/jonschlinkert)
+Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab
+Bug: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
+Bug-Debian: https://bugs.debian.org/932500
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2019-07-20
+
+--- a/index.js
b/index.js
+@@ -23,10 +23,9 @@
+ */
+
+ function copy(val, key) {
+- if (key === '__proto__') {
++ if (!isValidKey(key)) {
+ return;
+ }
+-
+ var obj = this[key];
+ if (isObject(val) && isObject(obj)) {
+ mixinDeep(obj, val);
+@@ -47,6 +46,17 @@
+ }
+
+ /**
++ * Returns true if `key` is a valid key to use when extending objects.
++ *
++ * @param {String} `key`
++ * @return {Boolean}
++ */
++
++function isValidKey(key) {
++ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
++};
++
++/**
+ * Expose `mixinDeep`
+ */
+
diff --git a/debian/patches/series b/debian/patches/series
index 9b10403..da1c174 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2018-3719.diff
+CVE-2019-10746.diff
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] packaging node mermaid: Recursion in resolving module
On 2019, ജൂലൈ 20 4:17:16 PM IST, Nilesh Patra wrote: >Hi >While packaging node-mermaid and resolving relevant paths. I experience >several of these errors: > >WARNING in ./src/themes ^\.\/.*\/index\.scss$ >Module not found: Error: Recursion in resolving >Stack: >resolve: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) >css-to-string-loader > new-resolve: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) >css-to-string-loader > parsed-resolve: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) >css-to-string-loader module > described-resolve: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) >css-to-string-loader module > raw-module: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) >css-to-string-loader >module: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) >css-to-string-loader >resolve: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules) >./css-to-string-loader > new-resolve: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules) >./css-to-string-loader > parsed-resolve: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules) >./css-to-string-loader > described-resolve: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules) >./css-to-string-loader > relative: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader) > described-relative: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader) > raw-file: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader) >file: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader) > relative: >(/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader) > @ ./src/themes ^\.\/.*\/index\.scss$ > @ ./src/mermaidAPI.js > @ ./src/mermaid.js > >It would be great if someone can letme know what that means and how to >go >about it. >Here's the complete log if needed: http://paste.debian.net/1092431/ >This is the local repository where I'm working on: >https://salsa.debian.org/gi-boi-guest/node-mermaid > >regards, >Nilesh ln -s scope-css node_modules should be enough I think, otherwise it will create recursive symlinks if the directory already exists. You should also remove node_modules in clean target. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-micromatch_4.0.2-1_sourceonly.changes ACCEPTED into experimental
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 20 Jul 2019 13:23:40 +0200 Source: node-micromatch Architecture: source Version: 4.0.2-1 Distribution: experimental Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Xavier Guimard Changes: node-micromatch (4.0.2-1) experimental; urgency=medium . * Team upload . [ Julien Puydt ] * Team upload. * New upstream release. * Update packaging: - Bump d/watch to version 4 - Move from section web to section javascript - Use https in d/copyright's Format - Clean d/rules . [ Paolo Greppi ] * Update Vcs fields for migration to https://salsa.debian.org/ * New upstream release * Update packaging: - Bump dh compat to 11 - Bump std-ver to 4.1.4 . [ Pirate Praveen ] * Enable tests * Add nanomatch as a component * Add object.pick as a component * Add embedded modules to NODE_PATH * Update build deps, add node-is-windows * Rename object-pick to object.pick * Update build depends for test * Set maximum version for node-snapdragon for node-braces * Add braces 2.x as component * Update dependencies for embedded braces * Add snapdragon-node as component * Add snapdragon-util as a component * Add extend-shallow 2.x as a component * Install extend-shallow 2.x * Add fill-range as a component * Use embedded fill-range * Install fill-range under node_modules * Add is-number as component * Add node-repeat-string dependency * Add node-to-regex-range as dependency . [ Xavier Guimard ] * New upstream version 4.0.2 * Add debian/clean * Add node-braces >= 3.0.2 in dependencies * Link braces no node_modules/ during build (else test fails for an unknown reason) * Bump debhelper compatibility level to 12 * Declare compliance with policy 4.4.0 * Move installed files to /usr/share/nodejs * Add upstream/metadata * Switch test to pkg-js-tools * Remove unneeded dependency versions * Fix debian/copyright * Install examples * Fix components install * Update lintian-overrides Checksums-Sha1: 74465e9e54b1cbbf35d73809bb67090286f0b931 4618 node-micromatch_4.0.2-1.dsc 1e2910c4ea8342d970d6408036f00f432472e9c3 2239 node-micromatch_4.0.2.orig-extend-shallow.tar.gz d0ed34f388c7d9edd6a89f18d321dd1959584495 5795 node-micromatch_4.0.2.orig-fill-range.tar.gz a675bef11ab4f11950d14fbe1b9fae85b43b493e 2905 node-micromatch_4.0.2.orig-is-number.tar.gz 7007d102cea58c53f00ae0aec1e67755c3246dbf 20465 node-micromatch_4.0.2.orig-nanomatch.tar.gz 890199d104f01f3c84662359ae70f6df08a1ab1b 2725 node-micromatch_4.0.2.orig-object-pick.tar.gz 582384bc6981756023d6f1432a436fcb4aab2c42 6238 node-micromatch_4.0.2.orig-snapdragon-node.tar.gz 1744e53417651b864d6a121bca5771784fe32e30 9160 node-micromatch_4.0.2.orig-snapdragon-util.tar.gz cda7f3f3a19d646a60e21718898e5d05ea22dec9 87949 node-micromatch_4.0.2.orig.tar.gz 740e020f69d60edad0c88d0e769fd7b29f2224b1 3780 node-micromatch_4.0.2-1.debian.tar.xz Checksums-Sha256: 0ca1d6ec021936e1bee4e894259c2d61a43e5a89c0e01b7a886105bcb2cd7dd2 4618 node-micromatch_4.0.2-1.dsc 71420ef422adf906f90c1fb9af709b9900d6fc4b5a09a7bd8f366cd287d58428 2239 node-micromatch_4.0.2.orig-extend-shallow.tar.gz 6a12c3f7b0198d548342e184807a6dac64be8d30a9ae7b8b66a8ccb3734b32cd 5795 node-micromatch_4.0.2.orig-fill-range.tar.gz 26e8d82042d8d65d507f349effcae74b88eebcce4fe9a233a0ef0e46f6d91981 2905 node-micromatch_4.0.2.orig-is-number.tar.gz 11b8f92498309f24663247c0c9f3e182462069e3703d12e636970871cee5c676 20465 node-micromatch_4.0.2.orig-nanomatch.tar.gz 0257884c966ed841b2deb94b73788a00441d50cbf52bea6a03bc2dc44f8f8078 2725 node-micromatch_4.0.2.orig-object-pick.tar.gz a1d1f794cdee09857466d0b09ce9c86234d5f90075599623f027f7c817440a9c 6238 node-micromatch_4.0.2.orig-snapdragon-node.tar.gz baf1f077f0e5e65095c996e55536cad63b5cec490559da9b87689049b0585c93 9160 node-micromatch_4.0.2.orig-snapdragon-util.tar.gz 5dd1efee077e0250668b558595958892e96f7c72f093592cccf95403ca57521b 87949 node-micromatch_4.0.2.orig.tar.gz 5a1ad96a8fea2d43aef2d9dc12837bdf3577ec2f82c5ab4cf50f4289fa78ff87 3780 node-micromatch_4.0.2-1.debian.tar.xz Files: bab39fd881aabceb899cf1e1775f2c0a 4618 javascript optional node-micromatch_4.0.2-1.dsc 73fa4d6b451a52cb545eb4f7140dd01b 2239 javascript optional node-micromatch_4.0.2.orig-extend-shallow.tar.gz 9330bb642ed9aa9845ed1720ff7b2863 5795 javascript optional node-micromatch_4.0.2.orig-fill-range.tar.gz 9bfb8bd060e9192fb20a527c7b59dacc 2905 javascript optional node-micromatch_4.0.2.orig-is-number.tar.gz 887c34993c0d6b7f83781c071a49452d 20465 javascript optional node-micromatch_4.0.2.orig-nanomatch.tar.gz f22f6188395305393175e99d34d83a28 2725 javascript optional node-micromatch_4.0.2.orig-object-pick.tar.gz 7e2ce2338831c7999438a65028375b90 6238 javascript optional node-micromatch_4.0.2.orig-snapdragon-node.tar.gz
[Pkg-javascript-devel] node-to-regex-range_5.0.1-1_sourceonly.changes REJECTED
Version check failed: Your upload included the source package node-to-regex-range, version 5.0.1-1, however experimental already has version 5.0.1-1. Uploads to experimental must have a higher version than present in experimental. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-to-regex_3.0.2+~2.0.2+~0.1.10-1_sourceonly.changes REJECTED
Version check failed: Your upload included the source package node-to-regex, version 3.0.2+~2.0.2+~0.1.10-1, however experimental already has version 3.0.2+~2.0.2+~0.1.10-1. Uploads to experimental must have a higher version than present in experimental. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-fill-range_7.0.1-1_sourceonly.changes REJECTED
Version check failed: Your upload included the source package node-fill-range, version 7.0.1-1, however experimental already has version 7.0.1-1. Uploads to experimental must have a higher version than present in experimental. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-braces_3.0.2-1_sourceonly.changes REJECTED
Version check failed: Your upload included the source package node-braces, version 3.0.2-1, however experimental already has version 3.0.2-1. Uploads to experimental must have a higher version than present in experimental. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] packaging node mermaid: Recursion in resolving module
Le 20/07/2019 à 12:47, Nilesh Patra a écrit :
> Hi
> While packaging node-mermaid and resolving relevant paths. I experience
> several of these errors:
>
> WARNING in ./src/themes ^\.\/.*\/index\.scss$
> Module not found: Error: Recursion in resolving
> Stack:
> resolve:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid)
> css-to-string-loader
> new-resolve:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid)
> css-to-string-loader
> parsed-resolve:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid)
> css-to-string-loader module
> described-resolve:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid)
> css-to-string-loader module
> raw-module:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid)
> css-to-string-loader
> module:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid)
> css-to-string-loader
> resolve:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules)
> ./css-to-string-loader
> new-resolve:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules)
> ./css-to-string-loader
> parsed-resolve:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules)
> ./css-to-string-loader
> described-resolve:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules)
> ./css-to-string-loader
> relative:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader)
>
> described-relative:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader)
>
> raw-file:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader)
>
> file:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader)
>
> relative:
> (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader)
>
> @ ./src/themes ^\.\/.*\/index\.scss$
> @ ./src/mermaidAPI.js
> @ ./src/mermaid.js
>
> It would be great if someone can letme know what that means and how to
> go about it.
> Here's the complete log if needed: http://paste.debian.net/1092431/
> This is the local repository where I'm working on:
> https://salsa.debian.org/gi-boi-guest/node-mermaid
Hello,
first apply this:
diff --git a/debian/control b/debian/control
index 41b8b45..e12280f 100644
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,11 @@ Build-Depends:
debhelper (>= 10)
, nodejs (>= 6)
, node-babel-cli
+ , node-babel-loader
, node-babel-preset-env
+ , node-buble
+ , node-css-loader
+ , webpack
Standards-Version: 4.4.0
Homepage: https://github.com/knsv/mermaid#readme
Vcs-Git: https://salsa.debian.org/js-team/node-mermaid.git
diff --git a/debian/rules b/debian/rules
index 5497d82..0ad3d22 100755
--- a/debian/rules
+++ b/debian/rules
@@ -11,9 +11,9 @@ export NODE_PATH := ${CURDIR}
override_dh_auto_build:
buble webpack.config.babel.js -o webpack.config.js
mkdir node_modules
- ln -s scope-css node_modules/scope-css
- ln -s moment-mini node_modules/moment-mini
- ln -s css-to-string-loader node_modules/css-to-string-loader
+ ln -s ../scope-css node_modules/
+ ln -s ../moment-mini node_modules/
+ ln -s ../css-to-string-loader node_modules/
webpack
#override_dh_auto_test:
Then error is now:
WARNING in ./src/themes ^\.\/.*\/index\.scss$
Module not found: Error: Can't resolve 'sass-loader' in
'/<>'
Cheers,
Xavier
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-micromatch_4.0.2-1_sourceonly.changes
node-micromatch_4.0.2-1_sourceonly.changes uploaded successfully to localhost along with the files: node-micromatch_4.0.2-1.dsc node-micromatch_4.0.2.orig-extend-shallow.tar.gz node-micromatch_4.0.2.orig-fill-range.tar.gz node-micromatch_4.0.2.orig-is-number.tar.gz node-micromatch_4.0.2.orig-nanomatch.tar.gz node-micromatch_4.0.2.orig-object-pick.tar.gz node-micromatch_4.0.2.orig-snapdragon-node.tar.gz node-micromatch_4.0.2.orig-snapdragon-util.tar.gz node-micromatch_4.0.2.orig.tar.gz node-micromatch_4.0.2-1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-braces_3.0.2-1_sourceonly.changes
node-braces_3.0.2-1_sourceonly.changes uploaded successfully to localhost along with the files: node-braces_3.0.2-1.dsc node-braces_3.0.2.orig.tar.gz node-braces_3.0.2-1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-to-regex-range_5.0.1-1_sourceonly.changes
node-to-regex-range_5.0.1-1_sourceonly.changes uploaded successfully to localhost along with the files: node-to-regex-range_5.0.1-1.dsc node-to-regex-range_5.0.1.orig.tar.gz node-to-regex-range_5.0.1-1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-to-regex_3.0.2+~2.0.2+~0.1.10-1_sourceonly.changes
node-to-regex_3.0.2+~2.0.2+~0.1.10-1_sourceonly.changes uploaded successfully to localhost along with the files: node-to-regex_3.0.2+~2.0.2+~0.1.10-1.dsc node-to-regex_3.0.2+~2.0.2+~0.1.10.orig-regexptree.tar.gz node-to-regex_3.0.2+~2.0.2+~0.1.10.orig-saferegex.tar.gz node-to-regex_3.0.2+~2.0.2+~0.1.10.orig.tar.gz node-to-regex_3.0.2+~2.0.2+~0.1.10-1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-fill-range_7.0.1-1_sourceonly.changes
node-fill-range_7.0.1-1_sourceonly.changes uploaded successfully to localhost along with the files: node-fill-range_7.0.1-1.dsc node-fill-range_7.0.1.orig.tar.gz node-fill-range_7.0.1-1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] packaging node mermaid: Recursion in resolving module
Hi While packaging node-mermaid and resolving relevant paths. I experience several of these errors: WARNING in ./src/themes ^\.\/.*\/index\.scss$ Module not found: Error: Recursion in resolving Stack: resolve: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) css-to-string-loader new-resolve: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) css-to-string-loader parsed-resolve: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) css-to-string-loader module described-resolve: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) css-to-string-loader module raw-module: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) css-to-string-loader module: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid) css-to-string-loader resolve: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules) ./css-to-string-loader new-resolve: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules) ./css-to-string-loader parsed-resolve: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules) ./css-to-string-loader described-resolve: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules) ./css-to-string-loader relative: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader) described-relative: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader) raw-file: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader) file: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader) relative: (/home/nilesh/mermaidpack/reversion/node-mermaid-8.1.0/node-mermaid/node_modules/css-to-string-loader) @ ./src/themes ^\.\/.*\/index\.scss$ @ ./src/mermaidAPI.js @ ./src/mermaid.js It would be great if someone can letme know what that means and how to go about it. Here's the complete log if needed: http://paste.debian.net/1092431/ This is the local repository where I'm working on: https://salsa.debian.org/gi-boi-guest/node-mermaid regards, Nilesh -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] should.js_13.2.1~dfsg-1_sourceonly.changes ACCEPTED into experimental
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 20 Jul 2019 08:17:21 +0200 Source: should.js Architecture: source Version: 13.2.1~dfsg-1 Distribution: experimental Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Xavier Guimard Changes: should.js (13.2.1~dfsg-1) experimental; urgency=medium . * Team upload . [ Jelmer Vernooij ] * Remove unnecessary 'Testsuite: autopkgtest' header. . [ Xavier Guimard ] * Bump debhelper compatibility level to 12 * Declare compliance with policy 4.4.0 * Change section to javascript * Change priority to optional * Add debian/gbp.conf * Move installed files to /usr/share/nodejs * Add upstream/metadata * New upstream version 13.2.1~dfsg * Add should* components (this replace patches) * Build with rollup like upstream * Update install * Add debian/clean * Remove unneeded files in import * Update VCS fields to salsa * Switch test to pkg-js-tools * Update debian/copyright Checksums-Sha1: ea2e8012903014e6b703b61123b9f3eb0a0e0251 3717 should.js_13.2.1~dfsg-1.dsc 94f0bea4d4811738da19e3f650a87ef0ae1b95b6 6812 should.js_13.2.1~dfsg.orig-should-equal.tar.gz 9bfc8f74fa39205c53d38c34d717303e277124f1 5343 should.js_13.2.1~dfsg.orig-should-format.tar.gz 401e7f33b5533033944d5cd8bf2b65027792e27a 3249 should.js_13.2.1~dfsg.orig-should-type-adaptors.tar.gz 5fca2651fd1b2924d491bed051c4a5f3d256e394 3502 should.js_13.2.1~dfsg.orig-should-type.tar.gz fb0d71338f532a3a149213639e2d32cbea8bcb28 1725 should.js_13.2.1~dfsg.orig-should-util.tar.gz edb6e8c36c55f285c57433f59f64bc7429f828b3 42274 should.js_13.2.1~dfsg.orig.tar.gz 5bf778cd27469bbe78ef82972d6d0ac7931c9ce2 4460 should.js_13.2.1~dfsg-1.debian.tar.xz Checksums-Sha256: a184ed05ba84a4572d4e358e2144985b583d8fe291932be852002d7db43bbc48 3717 should.js_13.2.1~dfsg-1.dsc e994a653a418cb223c53d337a331ed11c75668584f0e01b6b188f8327926c341 6812 should.js_13.2.1~dfsg.orig-should-equal.tar.gz af421b372ad6700d9faed99b4ecd62bc1683ac9dac5c00c489242d448fe9085b 5343 should.js_13.2.1~dfsg.orig-should-format.tar.gz c243fbdb26ff0e8c1d1a03ddb12f27abe40dbea189bc1a0286351f85425865c6 3249 should.js_13.2.1~dfsg.orig-should-type-adaptors.tar.gz ee8974807dd19e7d53972e9e6c4d3c4ad772132cd7c704636a7779e996fd8556 3502 should.js_13.2.1~dfsg.orig-should-type.tar.gz 00bd1d54235a0391aae3610d06cf84b83c393f7466a48d86832facce22fb2487 1725 should.js_13.2.1~dfsg.orig-should-util.tar.gz 9744d410bb23a8cb7571f7f32ce2a9af39e365f84e7be3c7649f6002f14b8394 42274 should.js_13.2.1~dfsg.orig.tar.gz ac28dc1a548763d4aec1e8ac7d1a845679fee207031cf2d5fc2f5246daaa388a 4460 should.js_13.2.1~dfsg-1.debian.tar.xz Files: 74a49002274dc6ea19d1254f5c9f808f 3717 javascript optional should.js_13.2.1~dfsg-1.dsc dd3fff5b06b4cb20995fa3123724671e 6812 javascript optional should.js_13.2.1~dfsg.orig-should-equal.tar.gz e1c6f3a1468d46823117a21799ea7d05 5343 javascript optional should.js_13.2.1~dfsg.orig-should-format.tar.gz 4b4f70bc58b42522dab3c3fc37d6f4f9 3249 javascript optional should.js_13.2.1~dfsg.orig-should-type-adaptors.tar.gz a24ce88ac919bcd854458e34305faef9 3502 javascript optional should.js_13.2.1~dfsg.orig-should-type.tar.gz c997294f44c10673dc86845dc48688fc 1725 javascript optional should.js_13.2.1~dfsg.orig-should-util.tar.gz 7dcf7bcf4ce6a151c249c49204e13f2c 42274 javascript optional should.js_13.2.1~dfsg.orig.tar.gz d7a6b24b9bfae901c59d477bcc46e518 4460 javascript optional should.js_13.2.1~dfsg-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl0yvpsACgkQ9tdMp8mZ 7unyuA//eJN6V4Q/c6UlZDEDq1p8HrTgXUcDTBSNgIoLrJZpdnZfGy7dJlfSLrz4 E1k0snMXRPz4oVxEdml7zRB1sRlt2dDeaO5ZHQHDOPowZS8B732IqxNStAkLp75t 2XbYWHkoWeM+6+/BjWG3gYCwQgo6UOl/2bQP6pw23Q7LA6rdoKPwuMOytQyzly2D f2tcnP2eWaIVL3HghGsSMEXu5gxV5Hh6zAc+FvK+r+DMcBSFsJhX81SuGvgx4h1r t3fGnlww8anHVuk8ax/zpcgiddrB2Q4w/A7IBsYVMkgTxSHgKt5tWPwb26nPz7Y2 B7OgeEg0tFm/2b01melIYiLZFkmFNLX7lFWw8RdjQSoYQYsCZZUfnracsUWQROng 5blc5/j/8fhRDiJ4YLreQUr9edKv7WCW1LFC+ZFgFfTTuJSZ2ucGTW9kgr9MpKSR s2OaWx51bFriULxPqxm1lDVBFyxI343aE3CPIPfS5LxB9vcjWQj6vq4KqhLxIuv4 tWB12w7h51Kf1uWrMH9XwNWuk+VTZzKpYCpNeZEATbevCWOcnH8xuBGOo07nkZ8P +ZRXZBflEAEHjZ7QbQo9w18BbPU28cOrg1JGsFaG/HZnAHEl7p8SaxAzFeAj6vaa uoW3kAjVSSPdofwrMO83RVeEE4oOw6dyzMUuJrXsDRyADFCfBS4= =uz/f -END PGP SIGNATURE- Thank you for your contribution to Debian. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of should.js_13.2.1~dfsg-1_sourceonly.changes
should.js_13.2.1~dfsg-1_sourceonly.changes uploaded successfully to localhost along with the files: should.js_13.2.1~dfsg-1.dsc should.js_13.2.1~dfsg.orig-should-equal.tar.gz should.js_13.2.1~dfsg.orig-should-format.tar.gz should.js_13.2.1~dfsg.orig-should-type-adaptors.tar.gz should.js_13.2.1~dfsg.orig-should-type.tar.gz should.js_13.2.1~dfsg.orig-should-util.tar.gz should.js_13.2.1~dfsg.orig.tar.gz should.js_13.2.1~dfsg-1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Le 20/07/2019 à 06:32, Paolo Greppi a écrit : > Package: node-mixin-deep > Version: 1.1.3-3 > Severity: important > > Dear Maintainer, > > node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: > https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 > https://github.com/jonschlinkert/mixin-deep/issues/6 > > Please upgrade to either 1.3.2 or 2.0.1. > > Thanks, Paolo Looking at upstream issue comment, this issue has been already reported by DSA and fixed (#898315, CVE-2018-3719) See https://salsa.debian.org/js-team/node-mixin-deep/blob/master/debian/patches/CVE-2018-3719.diff -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] automatically pulling vulnerabilities from snyk.io
Le 20/07/2019 à 07:11, Paolo Greppi a écrit : > After filing https://bugs.debian.org/932500 I realized it would be great > to have > some automation in place to automatically pull vulnerabilities from > https://snyk.io and turn them into CVE bugs in BTS. > > Thoughts ? > > Paolo Hello, our security team follows CVE and opens BTS if needed -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
