[Pkg-javascript-devel] Bug#941189: Bug#941189: node-set-value: CVE-2019-10747

Salvatore Bonaccorso carnil at debian.org
Thu Sep 26 07:04:35 BST 2019


Hi Xavier,

On Thu, Sep 26, 2019 at 07:31:21AM +0200, Xavier wrote:
> Le 26/09/2019 à 07:12, Salvatore Bonaccorso a écrit :
> > Source: node-set-value
> > Version: 0.4.0-1
> > Severity: important
> > Tags: security upstream
> > Control: found -1 3.0.0-1
> > 
> > Hi,
> > 
> > The following vulnerability was published for node-set-value.
> > 
> > CVE-2019-10747[0]:
> > | set-value is vulnerable to Prototype Pollution in versions lower than
> > | 3.0.1. The function mixin-deep could be tricked into adding or
> > | modifying properties of Object.prototype using any of the constructor,
> > | prototype and _proto_ payloads.
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2019-10747
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747
> > [1] https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
> 
> Hi,
> 
> here is a patch for Buster

Thanks, you are fast :). I think like other similar cases for node-*
modules we can go the buster-pu route here as well.

Unless you object, I will mark it as no-dsa (Can be fixed via point
release).

Regards,
Salvatore



More information about the Pkg-javascript-devel mailing list