[Pkg-javascript-devel] Bug#969669: node-node-forge: CVE-2020-7720
Salvatore Bonaccorso
carnil at debian.org
Sun Sep 6 21:05:41 BST 2020
Source: node-node-forge
Version: 0.9.1~dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 0.8.1~dfsg-1
Hi,
The following vulnerability was published for node-node-forge.
CVE-2020-7720[0]:
| The package node-forge before 0.10.0 is vulnerable to Prototype
| Pollution via the util.setPath function. Note: Version 0.10.0 is a
| breaking change removing the vulnerable functions.
As noted the fix consists removing the function as whole, so might
break users of the module accordingly.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7720
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
[1] https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
[2] https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list