Bug#923042: marked as done (node-handlebars: Prototype Pollution allowing an attacker to execute arbitrary code)

[Debian Bug Tracking System]

Your message dated Thu, 28 Feb 2019 08:37:19 +0000
with message-id <e1gzhbv-0009ll...@fasolo.debian.org>
and subject line Bug#923042: fixed in node-handlebars 3:4.1.0-1
has caused the Debian Bug report #923042,
regarding node-handlebars: Prototype Pollution allowing an attacker to execute 
arbitrary code
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
923042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923042
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: node-handlebars
Version: 3:4.0.10-5
Severity: grave
Tags: security upstream

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

At https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692 this is reported:

> Affected versions of this package are vulnerable to Prototype Pollution. 
> Templates may alter an Objects' prototype, thus allowing an attacker to 
> execute arbitrary code on the server.

All releases of handlebars older than 4.0.13 should be affected.

 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlxxVXoACgkQLHwxRsGg
ASGoEA/+NGvVunzYs3SvvZRC8SaGuV8s3I9BolYz9w5/HA2jks61I0QPKL+NioOC
Ky9+4X0nIQcsotu3eOJe3q7abbRrSdILO00RmvFsoHlHeSBYqQB+FoAG439QyNmb
vzPaJ0cU2h+WujuCZxRI2kl0xcUzchHq2iEqJW2aueEuxhdOAPCrykzDWo6bL8FU
mknTpLeukJ7Ownj7H3XbT8z2pFZ1Pv2sq4UsMEcu6FljGec9qWm1Ohn0qq9WQYrP
a2zhQpF77QhDDUEBVP/HeQTx4In8RetM4Iim3XH93KG5j1VY8R+2pVbynbMWbk6c
C6h1vm6hezmtiuJtw6p5oy5Kda1/waxFaIUfCHIF9DhdTV2ZY74MapdC2e8HAD9g
iKq9Eq2P+OYMBkGRbcAvOcUQgpX4dJWihelv1DJQJWYbYCJaG+hTUd+S0cHakfLa
+IdiZ3h4dVUmIuWKV1fmUhUBWnr7mHTPLe4tiIQqqD3T51zIUO1xMu953L0xprH2
UdESnJG4ySryK06SKaljtfXRz3WlsPrPGTJu2LYN9Y6xEugu+dm3heqdxnv8Ek4A
P2rrPWlULbUI9Rk8lkcFiNLNeS7zzHflcp2qY02CLN8zSGkaBIVf/RKnhSO624pA
lV0BTfNiEk2tGAYV8vN/TOcZQb1gQRdT0qoFgU63bQaVvDS7gig=
=JfmR
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: node-handlebars
Source-Version: 3:4.1.0-1

We believe that the bug you reported is fixed in the latest version of
node-handlebars, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 923...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen <prav...@debian.org> (supplier of updated node-handlebars 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Feb 2019 13:59:16 +0530
Source: node-handlebars
Binary: handlebars libjs-handlebars libjs-handlebars.runtime
Architecture: source all
Version: 3:4.1.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Pirate Praveen <prav...@debian.org>
Description:
 handlebars - build semantic templates effectively with no frustration
 libjs-handlebars - let you build semantic templates effectively with no 
frustration
 libjs-handlebars.runtime - runtime for handlebars semantic templates library
Closes: 923042
Changes:
 node-handlebars (3:4.1.0-1) unstable; urgency=medium
 .
   * New upstream version 4.1.0 (Closes: #923042)
   * Bump debhelper compatibility level to 11
   * Bump Standards-Version to 4.3.0 (no changes needed)
   * Use salsa.debian.org in Vcs-* fields
   * Refresh patches
Checksums-Sha1:
 a5900e227cb57302e04531eb0b2b5ccfaf2f31f0 2437 node-handlebars_4.1.0-1.dsc
 8946d5bd9cf8ad2482ec5a9ca7f112cabbaf0b1e 140592 
node-handlebars_4.1.0.orig.tar.gz
 fd2e642de7f4ac1c15bda8a924a31c48e57c3e04 5132 
node-handlebars_4.1.0-1.debian.tar.xz
 9bbc4d2ecf43a3b4e9d149dd4b87118727d7d619 162368 handlebars_4.1.0-1_all.deb
 e1c5c00bfe2ad4361d7ddf38062021dab43cd10a 32852 
libjs-handlebars.runtime_4.1.0-1_all.deb
 03c8c2247fee5e46161719f60684d6f707dec973 130492 
libjs-handlebars_4.1.0-1_all.deb
 77488b1c8b29f1f34c18de6eabeff12fde732925 19603 
node-handlebars_4.1.0-1_amd64.buildinfo
Checksums-Sha256:
 52dca7fea0cc78dd37a91e79f3aad347ee97ca2b6858602eb19b0106f68411b3 2437 
node-handlebars_4.1.0-1.dsc
 06d1184c1bc488f3506550b368a53f754cdaabe43076d0ea7df63045867986bd 140592 
node-handlebars_4.1.0.orig.tar.gz
 01e3088b6e78f48457046760cc2bae099a0e943d3b197d44109abac54fb880d1 5132 
node-handlebars_4.1.0-1.debian.tar.xz
 dc96bfe5e3b3a082019cf9852cc2ef3ece9ebac4c58b3b03ed8aa22340860400 162368 
handlebars_4.1.0-1_all.deb
 cd911f03451002c84715eaebd2c94d536f0ab7719f7151809af9412714c16a03 32852 
libjs-handlebars.runtime_4.1.0-1_all.deb
 57754c5ff5c720c8ce8e861dc95592e079a029bcb9d8c4e17eb8399d408a9f97 130492 
libjs-handlebars_4.1.0-1_all.deb
 4fd5debf381a43ab40f1245dc5dbec66d20c3bd0aa987525af732263b4ac0bd2 19603 
node-handlebars_4.1.0-1_amd64.buildinfo
Files:
 94f172b3567094f8b1e49977e1b51745 2437 javascript optional 
node-handlebars_4.1.0-1.dsc
 c5f768ae6c72c32abee92f0f4418e01a 140592 javascript optional 
node-handlebars_4.1.0.orig.tar.gz
 dcf7b162dc1d3470ac96a47226066372 5132 javascript optional 
node-handlebars_4.1.0-1.debian.tar.xz
 76dbbfa7004fa455a92ab60f85198ac7 162368 javascript optional 
handlebars_4.1.0-1_all.deb
 9ca4e3748224cb3bc4ba9c32fa8a81fc 32852 javascript optional 
libjs-handlebars.runtime_4.1.0-1_all.deb
 1acb365465baf80ed05cbe4f620ed8e0 130492 javascript optional 
libjs-handlebars_4.1.0-1_all.deb
 873d447704693fb2bb5bdb748853f2c0 19603 javascript optional 
node-handlebars_4.1.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/OFtr184QaN6dPMgC3aSB2Kmt4UFAlx3nNcACgkQC3aSB2Km
t4X65RAAm5XsBHgRN0pUpMJ1SrjwRR3W0oe16FhpthTbP4ks3o0BpwHBfIc3ahRp
t45MFNL4HCgQgEzg7qYfyXvzQ22WxekjDfjKRCKYiOP5qy8qlUG/gWHvUJis0iNk
0zr/O14CDpBqwmEBESQZYCwC/eHno+NGvs0JkhNaMvclqDfVEIF3BfjGmnzU8NM8
zEk9zQDDs2TmcWLqGAUs07847TQupyNoAF2RPjXEMJoNJril5+Q1f8GMDkH7q9XY
Erby70x/sTXvRKy6KEX7dpbJRLeaNll2qKXN23B2kv4aKfU6Jh270TU451uynRN4
kIhzciPC4MgQzdbT5Yjq6Zrht/KjCcBdiTA5pHlmi/yWqelxvaX2ZQlGn87nRTND
Ka2ay6D4p36XJMU7S9W72l944jWYxAXWM1TPxiO8JoCcn9fOaPj1okONsMszrPaX
DkhA377fbkCrex4i0sZKmkb0gQAif7dWFBB+tXwNS8ZsoJFEQmvJTn8H5CbPrkyo
b1J1gnQarEkxTFvlxW9NdZ2JOCGiznRphAOBr0wRcDhOiiIq5ehnWHMdxhhdnsUV
CCoQi0lmxlXTsyVfgPHXy7JuC3n2zuNfMp1cb6L/BK/6q2+CXH1L+ZuzspTboW2v
AuK7xZhdkBIe6sQt3Ss2g5ZDJdTv3vaVw19x3lHxZ19zJKO+rms=
=hkz7
-----END PGP SIGNATURE-----

--- End Message ---