[Pkg-javascript-devel] Bug#941354: node-yarnpkg: CVE-2019-5448
Salvatore Bonaccorso
carnil at debian.org
Sun Sep 29 12:35:26 BST 2019
Source: node-yarnpkg
Version: 1.13.0-2
Severity: important
Tags: security upstream
Control: found -1 1.13.0-1
Hi,
The following vulnerability was published for node-yarnpkg.
CVE-2019-5448[0]:
| Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive
| Data due to HTTP URLs in lockfile causing unencrypted authentication
| data to be sent over the network.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-5448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5448
[1] https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
[2] https://hackerone.com/reports/640904
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list