[Pkg-javascript-devel] Bug#941189: Bug#941189: node-set-value: CVE-2019-10747

Xavier yadd at debian.org
Thu Sep 26 08:14:21 BST 2019


Hi,

Of course a point release is enough here


Cheers,
Xavier

Le 26 septembre 2019 08:04:35 GMT+02:00, Salvatore Bonaccorso <carnil at debian.org> a écrit :
>Hi Xavier,
>
>On Thu, Sep 26, 2019 at 07:31:21AM +0200, Xavier wrote:
>> Le 26/09/2019 à 07:12, Salvatore Bonaccorso a écrit :
>> > Source: node-set-value
>> > Version: 0.4.0-1
>> > Severity: important
>> > Tags: security upstream
>> > Control: found -1 3.0.0-1
>> > 
>> > Hi,
>> > 
>> > The following vulnerability was published for node-set-value.
>> > 
>> > CVE-2019-10747[0]:
>> > | set-value is vulnerable to Prototype Pollution in versions lower
>than
>> > | 3.0.1. The function mixin-deep could be tricked into adding or
>> > | modifying properties of Object.prototype using any of the
>constructor,
>> > | prototype and _proto_ payloads.
>> > 
>> > 
>> > If you fix the vulnerability please also make sure to include the
>> > CVE (Common Vulnerabilities & Exposures) id in your changelog
>entry.
>> > 
>> > For further information see:
>> > 
>> > [0] https://security-tracker.debian.org/tracker/CVE-2019-10747
>> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747
>> > [1] https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
>> 
>> Hi,
>> 
>> here is a patch for Buster
>
>Thanks, you are fast :). I think like other similar cases for node-*
>modules we can go the buster-pu route here as well.
>
>Unless you object, I will mark it as no-dsa (Can be fixed via point
>release).
>
>Regards,
>Salvatore

-- 
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20190926/12f15ae3/attachment.html>


More information about the Pkg-javascript-devel mailing list