Your message dated Thu, 17 Sep 2020 10:35:27 +0000 with message-id <e1kirgb-000gow...@fasolo.debian.org> and subject line Bug#969669: fixed in node-node-forge 0.10.0~dfsg-1 has caused the Debian Bug report #969669, regarding node-node-forge: CVE-2020-7720 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 969669: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969669 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: node-node-forge Version: 0.9.1~dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 0.8.1~dfsg-1 Hi, The following vulnerability was published for node-node-forge. CVE-2020-7720[0]: | The package node-forge before 0.10.0 is vulnerable to Prototype | Pollution via the util.setPath function. Note: Version 0.10.0 is a | breaking change removing the vulnerable functions. As noted the fix consists removing the function as whole, so might break users of the module accordingly. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7720 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720 [1] https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677 [2] https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: node-node-forge Source-Version: 0.10.0~dfsg-1 Done: Jonas Smedegaard <d...@jones.dk> We believe that the bug you reported is fixed in the latest version of node-node-forge, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 969...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonas Smedegaard <d...@jones.dk> (supplier of updated node-node-forge package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 17 Sep 2020 12:16:19 +0200 Source: node-node-forge Architecture: source Version: 0.10.0~dfsg-1 Distribution: unstable Urgency: high Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Jonas Smedegaard <d...@jones.dk> Closes: 969669 Changes: node-node-forge (0.10.0~dfsg-1) unstable; urgency=high . [ upstream ] * new release(s) + Remove object path functions. closes: bug#969669, thanks to Salvatore Bonaccorso CVE-2020-7720 . [ Jonas Smedegaard ] * simplify source script copyright-check * use debhelper compatibility level 12 (not 10); build-depend on debhelper-compat (not debhelper) * declare compliance with Debian Policy 4.5.0 * fix stop needlessly build-depend on perl * drop patch 1001, fixed upstream * set urgency=high due to security-related fix Checksums-Sha1: dc20778182656ae647d37836d2c8ca7934afcecd 2194 node-node-forge_0.10.0~dfsg-1.dsc 7eb4e943b14c06ed176276599b356010d90fd802 360652 node-node-forge_0.10.0~dfsg.orig.tar.xz 519e26a240e645a60ca7e5a7463b1e844dea971f 6920 node-node-forge_0.10.0~dfsg-1.debian.tar.xz 6f4ab83a74673644b598e7fdddc8c406d1b20b77 14655 node-node-forge_0.10.0~dfsg-1_amd64.buildinfo Checksums-Sha256: d91731e9777ed0a8f53463934467c3c4d4970b8a70a8e240bd7d28869dcb4f44 2194 node-node-forge_0.10.0~dfsg-1.dsc 2634b3d386476e85ce128a0656abbcc52f9268f1bf985c82e3ad0eb4c603a268 360652 node-node-forge_0.10.0~dfsg.orig.tar.xz d2aa877f73e2a5679eecc156821f79c8d1cf0c471f5b5cf47356defed4fa7f8a 6920 node-node-forge_0.10.0~dfsg-1.debian.tar.xz c2b64ca9707eb2b70d670f8a5c7eab2f1d57f9b330aec17d3aed48e102c87191 14655 node-node-forge_0.10.0~dfsg-1_amd64.buildinfo Files: 877f2153618f7ba7b0e76d01696efe93 2194 javascript optional node-node-forge_0.10.0~dfsg-1.dsc 7c62e655dc4e39cd52cc6c246e02b97c 360652 javascript optional node-node-forge_0.10.0~dfsg.orig.tar.xz afc4f6f9b022c86c1bd168b1a67f1324 6920 javascript optional node-node-forge_0.10.0~dfsg-1.debian.tar.xz 6a65e0ac865847852d60dbdb790211bc 14655 javascript optional node-node-forge_0.10.0~dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl9jOBIACgkQLHwxRsGg ASH3txAAk5+8+KjMjlHX97SSXE1KZSPq5Uf+Rom+8B12ydKzmJOwlhZLpqnSd2uC 2Y57iT5FAvWDJjOcaAansdWpfemH4aExkXmpPHqFQ1++3RQokwYac6zDlECLisNs 8j/u8fDsmPjJWCqBhDpoibmKX/wI+8ZHloJ3cYb9Iy5IxQbd+IEV6qloVr3ghZK1 xAl0lIfMOF39uWwujqyV7pU1v99xAcwsoTcIFmBPMrcz+HDzCpruX9Zr8UUzyGcS /pPAAtQOB7pIF0HTOdzV0PpVHExsMQFAPIa5Qjqu7AlsHT4kPZezquo9WaCvcl94 BhdEw6QvnSgvibhWypl7aUOi1CsrK+lKYUSVemCMfz2tKEwlcEHvOjnuBVZiHkM5 3Ep0lk35ulpWi4WN8js5ehgP+V7+ifPUfCYhwrDEtc+iaWk/bajujtJpajOMu2G0 pXApp/fKP8gqJERbmcZfSaxUhH5Q/Z/ZFSUNMwtvxYwMsRlbV6Jz+ELMdeAMsKU5 M4yZ15Tuh1d8fMRhPjlwQtqKbzPELzSvMTZ1+7x0VE1saf7Pv0kb80Klxvdsqe4A thjCvTVxRDxWoSNu4JYvpYX1ZYlB0YSpYne/p8zMYzKaJ9Qz6twU8eM+R5WuEvRQ +ftyYs0ZBVON6d267imnwHeD1q64seB+kFf1FOLlz2p6GUFzDgA= =DWR/ -----END PGP SIGNATURE-----
--- End Message ---
