Your message dated Mon, 08 Apr 2019 13:18:48 +0000 with message-id <e1hduai-0001yv...@fasolo.debian.org> and subject line Bug#926616: fixed in node-deep-extend 0.4.1-2 has caused the Debian Bug report #926616, regarding CVE-2018-3750: Prototype Pollution to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 926616: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926616 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: node-deep-extend Version: 0.4.1-1 Severity: important Dear Maintainer, As per the ubuntu bug report: from https://snyk.io/vuln/npm:deep-extend:20180409 : deep-extend "all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of the structure passed to these function." This is verifiably true on at least buster, given the PoC listed in the above URL, but since it's the same deep-extend in sid, it's probably the same there. The following commit apparently fixes this: (though I haven't verified that) https://github.com/unclechu/node-deep-extend/commit/433ee51ed606f4e1867ece57b6ff5a47bebb492f -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages node-deep-extend depends on: ii nodejs 10.15.2~dfsg-1 node-deep-extend recommends no packages. node-deep-extend suggests no packages. -- debconf-show failed
--- End Message ---
--- Begin Message ---Source: node-deep-extend Source-Version: 0.4.1-2 We believe that the bug you reported is fixed in the latest version of node-deep-extend, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 926...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <y...@debian.org> (supplier of updated node-deep-extend package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 08 Apr 2019 14:52:06 +0200 Source: node-deep-extend Architecture: source Version: 0.4.1-2 Distribution: unstable Urgency: medium Maintainer: Xavier Guimard <y...@debian.org> Changed-By: Xavier Guimard <y...@debian.org> Closes: 926616 Changes: node-deep-extend (0.4.1-2) unstable; urgency=medium . * Team upload * Add patch to prevent Object prototype pollution (Closes: #926616, CVE-2018-3750) * Enable upstream tests using pkg-js-tools * Fix VCS fields * Fix debian/copyright years * Add upstream/metadata * Change section to javascript Checksums-Sha1: 09b313125587a0312d0d5e586aebeda6bf93e9b0 2097 node-deep-extend_0.4.1-2.dsc af2af5419e35ed689bf8b117e9acac762b97357a 2688 node-deep-extend_0.4.1-2.debian.tar.xz Checksums-Sha256: a372622ea2191ee068a6e64228f3287a9e10e2940f0123d9e5c14ef071bf0739 2097 node-deep-extend_0.4.1-2.dsc 8efc57584fb88eed549db8a255b4d0f111df9bc248f98ffb3e340a2824034fa9 2688 node-deep-extend_0.4.1-2.debian.tar.xz Files: a03be6a7380485762cf7aea0ec4f996f 2097 javascript optional node-deep-extend_0.4.1-2.dsc 9078181f623a998c30fdc5c35427c694 2688 javascript optional node-deep-extend_0.4.1-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlyrRIIACgkQ9tdMp8mZ 7uksZg//W+mz7KKDbc9kdS1KyWk+8YqfuPTA8YekJ7czEC6+tfLJY7XR4fr4MXcw 8fp9a2u2lMuTkJ2B0TQpJKJL0+IAR7T/UL4dZZAIB35NDhAap/KcfzjM6JGZKP9Q lg0Xy+cXZg3ALLPQWtJFgf2E+vBYyicSVFeuHN4WGjTOagL4uo3Z0Afiq/4zg7xq zAe4SzqNBrTf1y/7Jeq8V2SrroSoq2w1wttWpzP50hzT8X4lMU9ccWXa/8lHPu/q 990EoZu7zTi66qTARs+t6rzCR5mNTAsYSLfoCQhVRMaGFL3HBF385Iv9QId00ai8 SIrlFvoa3LAeTigW0nOdgzYkf7BT7YiKxgKkN1FdBIGVXb8IeYmu3HSBoPwowZJ5 jdyKL1X1/ZzK8947P71HWzafG3LtDVNlYgJtYP2NFL4VQ/1sSbpED+JXtNvB5eNZ e5dzEOFVILNLN/xLAbuJv5OCiNW7GULQHjA0G1qlDJVMyRwAnlhtikWX+A1i1h8S rAc3WeGLDuAhkPUa8v0eoW+aSPI9edA/gJRMSwQlT4JvCzgD8dyplTs++5RXS8FO YR2Ph/kfN0Fc+MdT1fJ3EqOqGKhhlngwYddZUdf2uxRTL3YEGSF2TELHqaZ3DCJA Qzkc8cSgnbkjigYU8d2YIliDp8v7gDDDCtvQ8MAsq4gZ8a2kWFs= =nvCM -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
