Your message dated Sun, 01 Dec 2019 17:04:19 +0000
with message-id <e1ibsdv-0004kt...@fasolo.debian.org>
and subject line Bug#945249: fixed in angular.js 1.7.9-1
has caused the Debian Bug report #945249,
regarding angular.js: CVE-2019-10768
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
945249: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945249
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: angular.js
Version: 1.5.10-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for angular.js.
CVE-2019-10768[0]:
| In AngularJS before 1.7.9 the function `merge()` could be tricked into
| adding or modifying properties of `Object.prototype` using a
| `__proto__` payload.
There is a simple POC/verifier available on [1].
angular.merge({}, JSON.parse('{"__proto__": {"xxx": "polluted"}}'));
console.log(({}).xxx);
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10768
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10768
[1] https://snyk.io/vuln/SNYK-JS-ANGULAR-534884
[2]
https://github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: angular.js
Source-Version: 1.7.9-1
We believe that the bug you reported is fixed in the latest version of
angular.js, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 945...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated angular.js
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 01 Dec 2019 15:02:51 +0000
Source: angular.js
Architecture: source
Version: 1.7.9-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Closes: 859513 945249
Changes:
angular.js (1.7.9-1) unstable; urgency=high
.
* New upstream release (closes: #859513):
- fixes CVE-2019-10768: function `merge()` could be tricked into adding
or modifying properties of `Object.prototype` (closes: #945249).
* Update watch file.
* Update debhelper level to 11 .
* Update Standards-Version to 4.4.1 .
Checksums-Sha1:
734308d5c347eb96d58fc6a8d6d3f6a1c2e54f6e 1791 angular.js_1.7.9-1.dsc
2455412e08c6990c7f2a98cda4f9d43c87b98c0e 21371357 angular.js_1.7.9.orig.tar.gz
9b01f5099281ce57178c0c6e7cbc8ad0d57dc7ec 17960 angular.js_1.7.9-1.debian.tar.xz
Checksums-Sha256:
66871776a5f07e6d6a8b3de36df88f3c3eeb273117603bc3411025a83265e743 1791
angular.js_1.7.9-1.dsc
30722798c02b527b9b4952596a21b4e10d1f26928365134bbd245b9709b7d972 21371357
angular.js_1.7.9.orig.tar.gz
3ffaf6d62e93c6770cb6e279b3c64082d0c023c6827dfa1e2e6588d2b75bf626 17960
angular.js_1.7.9-1.debian.tar.xz
Files:
371dfca20782f4b026cab4fe1210dcf2 1791 javascript optional
angular.js_1.7.9-1.dsc
b7c0fdbd2b130348cb012377b6c50448 21371357 javascript optional
angular.js_1.7.9.orig.tar.gz
ea448c049dcea3389e4357f19104ee16 17960 javascript optional
angular.js_1.7.9-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAl3j7KMACgkQ3OMQ54ZM
yL+NhQ//cP2q+y7fBZ3MLgZwf0PYDQiQzykoATmababsjCj+J643j3crfunP8A11
q/rex0O9BALk4dQiExF/jkC779Ebb0DEjtzxe3IbpnvUGJjIDt1TYACrXhnqPeWN
NdmhLNok8Fw9CZznK4w4abMyD/1rQAMwZYkprlzF1JdQxFtk0T0/p+ra9Kj6CSS9
sHpknbDNtDTJqOP6wj6HpC+iHm/lREk+VvrGW2RFLLRSItBf81UlY5m1q7iXM4N0
TbKa/eb46EhdvU4hwIvLw1wOS9/OBsUfuOcjnL/PjhGNdeNchzf+vFPWsE8ol8MV
7P1OqcM0YLVZ0IABwnoXmfScuS5gZHXmqGTr3wpcatOFbakEntzQ1JpTvAbsuiC4
FNrdje/ah+clvHBzAK+po9mAcNuZ1aG+TGSItIQ5ZIIGu2suX87mQyNZQmWQ4lXP
vbL3WDekSVaDsGZSfNCnZFR3Cf3RkC0EQVBxoE5tk6dYZ8fRtQdOcUybF0kt3ioz
gpvUsgpXuSDW7YW1HrHKxal7zVGW5AEr+3DYclrAt123NxpL00msCpHwIUwFSIL4
jJHPYM4npwjlNQ0vhgITt/qw+vzfcug33UC+92EID0+/v/+UWkBS7tBe+f1qhlHP
mTOedbYvS3mJqo1NT5B1Wo+ZOh8eGLyAuVsFCk1uxL2G7WZGZ5k=
=i8nz
-----END PGP SIGNATURE-----
--- End Message ---
