[Pkg-javascript-devel] Bug#952771: marked as done (dojo: CVE-2019-10785)

[Debian Bug Tracking System]

Your message dated Sat, 14 Mar 2020 18:47:18 +
with message-id 
and subject line Bug#952771: fixed in dojo 1.14.2+dfsg1-1+deb10u1
has caused the Debian Bug report #952771,
regarding dojo: CVE-2019-10785
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
952771: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952771
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: dojo
Version: 1.15.0+dfsg1-1
Severity: important
Tags: security upstream
Control: found -1 1.14.2+dfsg1-1

Hi,

The following vulnerability was published for dojo.

CVE-2019-10785[0]:
| dojox is vulnerable to Cross-site Scripting in all versions before
| version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due
| to dojox.xmpp.util.xmlEncode only encoding the first occurrence of
| each character, not all of them.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10785
[1] https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
[2] https://snyk.io/vuln/SNYK-JS-DOJOX-548257

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dojo
Source-Version: 1.14.2+dfsg1-1+deb10u1
Done: Xavier Guimard 

We believe that the bug you reported is fixed in the latest version of
dojo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 952...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard  (supplier of updated dojo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 04 Mar 2020 06:41:25 +0100
Source: dojo
Architecture: source
Version: 1.14.2+dfsg1-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Javascript Maintainers 

Changed-By: Xavier Guimard 
Closes: 952771
Changes:
 dojo (1.14.2+dfsg1-1+deb10u1) buster; urgency=medium
 .
   * Team upload
   * Cleanup improper regex usage (Closes: #952771, CVE-2019-10785)
Checksums-Sha1: 
 95c8eb79c224b0d6ee8b89fa11792d8597ea8e9f 2411 dojo_1.14.2+dfsg1-1+deb10u1.dsc
 94c78d8d226bb56174cca7bedf2e19049e155e36 15492 
dojo_1.14.2+dfsg1-1+deb10u1.debian.tar.xz
Checksums-Sha256: 
 4960706ca8ddc582b970a6b9792d7ef7a365c8607396548ed9927fd616f43496 2411 
dojo_1.14.2+dfsg1-1+deb10u1.dsc
 c27503a09dd0053a8e6ad6981801800a5013072082c6eacea6fb904f9db4397c 15492 
dojo_1.14.2+dfsg1-1+deb10u1.debian.tar.xz
Files: 
 9c919e80c0249f48a037140eb8ed46cf 2411 javascript optional 
dojo_1.14.2+dfsg1-1+deb10u1.dsc
 3bf2ea31c6765a0de3afcff1c04bf6a1 15492 javascript optional 
dojo_1.14.2+dfsg1-1+deb10u1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl5ip8IACgkQ9tdMp8mZ
7umKjg/9GQcOxIzgF0+prAHMaCzNo3icEnFzDHwWEVeyLv+vd+MYyDW35YmK0ook
W9Tx2yARslLExeXe/FwFG4rGI1fsacfNqsqEiF2LfawE5uWKiD/gsxeyMtVw7dmj
GJeVdzzc0BBH+QvaAwEhTmjqZ6CRJH+T0vHYOiSP35kkl0DgmkegKOHnZiSilBwU
vS7dFqizufETsj7X6ofxlpdh+IhDA30m16K+4HFB3kFtPaB1pR9KSceD0Y8bjndb
+cyvGqbeb9/MwmSw3oDBnH75mV2vkx5SetWkKWub8z+NBZ52e6F2fiCyTcOu0p6y
fApAoyD/8w8XLwVF1OPcyycrUTe6UQ448duRDT5GXkEgM6klGe1xwMPQx/Q8MYXH
ijOjZJM3rLUmDvl9m/dVJ3pMlOQqj+ki+EMdXAdeozPgG8/sf/ADyatJNhlS0cl/
AICNn/gnHXYkdQHlRe1x+A5kIm8lo+7NANZvU7C0yhVkKjtVTV2OoQAphdlz7CU0
0bJRa2p7SjwLD4G1DxNqDrA3PiWCEjzZifISqMK7wh+nFVzLlRpmBDA1kfHSYxh+
ujxvl1PaofE4aoCbNWUM0s7/kFZRwo6KRr43FkV0l6xpRoCrApOGBbwp3Fh6a3zG
W3F8ifTwU/rciuQdRINwCFT0AwK/qVwuTDlYTfBRISA0Mj8ulxg=
=oOuS
-END PGP SIGNATURE End Message ---
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#952771: marked as done (dojo: CVE-2019-10785)

[Debian Bug Tracking System]

Your message dated Sat, 29 Feb 2020 07:34:54 +
with message-id 
and subject line Bug#952771: fixed in dojo 1.15.2+dfsg1-1
has caused the Debian Bug report #952771,
regarding dojo: CVE-2019-10785
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
952771: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952771
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: dojo
Version: 1.15.0+dfsg1-1
Severity: important
Tags: security upstream
Control: found -1 1.14.2+dfsg1-1

Hi,

The following vulnerability was published for dojo.

CVE-2019-10785[0]:
| dojox is vulnerable to Cross-site Scripting in all versions before
| version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due
| to dojox.xmpp.util.xmlEncode only encoding the first occurrence of
| each character, not all of them.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10785
[1] https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
[2] https://snyk.io/vuln/SNYK-JS-DOJOX-548257

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dojo
Source-Version: 1.15.2+dfsg1-1
Done: Xavier Guimard 

We believe that the bug you reported is fixed in the latest version of
dojo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 952...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard  (supplier of updated dojo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 29 Feb 2020 08:17:40 +0100
Source: dojo
Architecture: source
Version: 1.15.2+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 

Changed-By: Xavier Guimard 
Closes: 952771
Changes:
 dojo (1.15.2+dfsg1-1) unstable; urgency=medium
 .
   * Team upload
 .
   [ Debian Janitor ]
   * Update standards version to 4.4.1, no changes needed.
   * debian/copyright: use spaces rather than tabs to start continuation
 lines.
   * Fix day-of-week for changelog entries 1.3.2+dfsg-1.
 .
   [ Xavier Guimard ]
   * Declare compliance with policy 4.5.0
   * Add debian/gbp.conf
   * Add upstream/metadata
   * New upstream version 1.15.2+dfsg1 (Closes: #952771, CVE-2019-10785)
   * Update lintian overrides
Checksums-Sha1: 
 759df8d54aaf0a7ed583c7262f7e2fdc53852d86 2385 dojo_1.15.2+dfsg1-1.dsc
 2b0d676dcadebaf069bedce9404c2cc577d07f9f 30314740 dojo_1.15.2+dfsg1.orig.tar.xz
 91f451c423d779e59b2e4ce726b0db2a9bc1eabc 15256 
dojo_1.15.2+dfsg1-1.debian.tar.xz
Checksums-Sha256: 
 790e67a3044c9f4045d107aa88e7d5b9789d8f32da545a9b73184a37b303a71b 2385 
dojo_1.15.2+dfsg1-1.dsc
 9af21c31590815ebb14bb6a58cde17841c0c5ac391fb0af4530d85431c615500 30314740 
dojo_1.15.2+dfsg1.orig.tar.xz
 5acd883095aa2dc9091d4b6e22e965ee1b2901c8b8f112944ab7285f087361a8 15256 
dojo_1.15.2+dfsg1-1.debian.tar.xz
Files: 
 4a63dc40c4d99d1d263fd547e979d151 2385 javascript optional 
dojo_1.15.2+dfsg1-1.dsc
 7f35fc74fdce6055774b45521ec765a2 30314740 javascript optional 
dojo_1.15.2+dfsg1.orig.tar.xz
 4d7eeac54b4fe6060f0b4fb708022157 15256 javascript optional 
dojo_1.15.2+dfsg1-1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl5aEZcACgkQ9tdMp8mZ
7um0Wg/+Ki3gpgH6Rs7E4DWUZxj9SQ3cklNJN4f9X5LxADLL7g9mTcAruN32CqcZ
drpcLTsvcpKIWk5KQ0iZCUcPLbt08psYU2gTUNIOLOicKJEAoE52Be7+5tX+SG7q
yKt2iCeVvu7mOBWWyu8ZAkF/8c1wnnIHr1Kcx0Ko+tzw3FLd1TMZIJ/9kaJqUDGH
UQQPv8ytVFaHdFyJQm6iOGgQftgrcR28kFC9YDbR5Ji7TfO01LoHUEyTWOY/Rkzg
lIbQeqFH4WpYgMEa+A2rbRIWcViInaxOf7swkv3cHJCXqozPPdq03jy8qSjPD66/
O8DadUNqHEB6woGd+T4H9EV0eiB6YbKmykkJqOUtRG3WOR2qRMqIswZm/NBQXg+k
Vg2q7udq+F1IpMLA0kK8BMPijZEK9gVJkrKx4A5liowMKzttFNiGFvwURpS6a/su
Xhd970IkTPB3Ma6pqnNtZyMDRVVF6wUmd4dzEr2QDNAw0B+yo8KE3SGYzSJb0vT1
M9HRcl6Jm1ZclYiNWxAcerDkEt+0ihAFWcSbkK8Xqjmaxu4/BEI7IaSKfzviPGjw
GKtPx0cjjejy/1OIcSLBzJ82LJTr+e6iDf/qotq8+oUNVLhm6fheDMZsnOeXVrUE