Your message dated Sun, 10 Nov 2019 19:47:17 +0000 with message-id <e1ittb7-0004to...@fasolo.debian.org> and subject line Bug#931408: fixed in node-fstream 1.0.10-1+deb10u1 has caused the Debian Bug report #931408, regarding node-fstream: CVE-2019-13173 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 931408: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931408 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: node-fstream Version: 1.0.10-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for node-fstream. CVE-2019-13173[0]: | fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. | Extracting tarballs containing a hardlink to a file that already | exists in the system, and a file that matches the hardlink, will | overwrite the system's file with the contents of the extracted file. | The fstream.DirWriter() function is vulnerable. In commit [2], there is open question if that is sufficient. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13173 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173 [1] https://www.npmjs.com/advisories/886 [2] https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: node-fstream Source-Version: 1.0.10-1+deb10u1 We believe that the bug you reported is fixed in the latest version of node-fstream, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 931...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <y...@debian.org> (supplier of updated node-fstream package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 01 Sep 2019 22:37:19 +0200 Source: node-fstream Architecture: source Version: 1.0.10-1+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Xavier Guimard <y...@debian.org> Closes: 931408 Changes: node-fstream (1.0.10-1+deb10u1) buster; urgency=medium . * Team upload * Clobber a Link if it's in the way of a File (Closes: #931408, CVE-2019-13173) Checksums-Sha1: 88ee92d8bac4343c4970e4649b90b35d24eaf3de 2077 node-fstream_1.0.10-1+deb10u1.dsc 1b0080f7cc2452cd67e7a93f9cdf6391a664c980 3168 node-fstream_1.0.10-1+deb10u1.debian.tar.xz Checksums-Sha256: 6696853c3ae8830153b48791def8076a7701c15dd20158ee269180a88277ed9d 2077 node-fstream_1.0.10-1+deb10u1.dsc 33b0232cdb788f2ec1c91694038e529db0abaab7cd771faffdca0a5dde05a7f4 3168 node-fstream_1.0.10-1+deb10u1.debian.tar.xz Files: ba01ad99b1e801b5a5458dc2bcb2fb30 2077 web extra node-fstream_1.0.10-1+deb10u1.dsc cb5c919312108ffc154d3f137674549b 3168 web extra node-fstream_1.0.10-1+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl3HwqcACgkQ9tdMp8mZ 7uliHg//VWLhYR2rEqbJZBCNCOfk5lDuMPckRLNpEWrfqX6qh5MVUst5+SBI/GJw GWMsgFNRFOTOsO/xcRfwfY8CLcg42au6bzm7FFY8uhZ7S66C260QXKFxaTbAY98W Z3/8B32DcYltq5usQ/5l0/EuTnA43ZdC5vdH6X4VG/+q/kzakhzh8XO6XhFZocbk vnk6wF+sgp1Gjy1mfwu5ZSq5JieLnm4GBvd3EjyD20vI/eDutjJFQugWlbROr2NY 13Gl2m1TLPfTjx1+nk6RiRSWbBcv6ZRXB+n38l1n5V/cJKC2i8tI8T4yO1mapZy3 fdwOGzsDgqbMZYYLfb1TNjsjLeb/xHwlBEGeFuC4BcUJQWJStqMIVb/MFJAMbEGX nXjKfbASwMWxulNS7dhvHR0rrUgal2m3I/GhkELSfbs+J1bOeN++ffPCl2ma0EWj 22yaP3qlXHY7maGhqJWEFmRLMFuLbMGutmrDvembCz/VeOxOXUOJMSv6M7Xr5RfB WxhKzzurqoOA7fZis4Qonp5lV3ly0YQe47qf6Uxd3bHy/iOYIlZKpU8O++yhM7P3 mxo4FHuxxOYIiPmScGjZElWiQFBLKS/5s/l8n/uuGgb/FtiHDRzwGWxsXNvuj2fe Q15ui2uC5TH85kuO8Kl2QgPddSUsseBdjbuPuCM5JfCzp1uSJ88= =PRID -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
