Your message dated Tue, 30 Mar 2021 21:03:34 +0000 with message-id <e1lrlwq-0008ac...@fasolo.debian.org> and subject line Bug#986171: fixed in underscore 1.9.1~dfsg-2 has caused the Debian Bug report #986171, regarding underscore: CVE-2021-23358 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 986171: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986171 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: underscore Version: 1.9.1~dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>,y...@debian.org Hi, The following vulnerability was published for underscore. CVE-2021-23358[0]: | The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 | and before 1.12.1 are vulnerable to Arbitrary Code Execution via the | template function, particularly when a variable property is passed as | an argument as it is not sanitized. [1] provides a POC to verify the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23358 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358 [1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: underscore Source-Version: 1.9.1~dfsg-2 Done: Yadd <y...@debian.org> We believe that the bug you reported is fixed in the latest version of underscore, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 986...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd <y...@debian.org> (supplier of updated underscore package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 30 Mar 2021 22:40:59 +0200 Source: underscore Architecture: source Version: 1.9.1~dfsg-2 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Yadd <y...@debian.org> Closes: 986171 Changes: underscore (1.9.1~dfsg-2) unstable; urgency=medium . * Team upload . [ Debian Janitor ] * Bump debhelper dependency to >= 9, since that's what is used in debian/compat. * Bump debhelper from old 9 to 12. * Set debhelper-compat version in Build-Depends. * Set upstream metadata fields: Bug-Database, Repository, Repository- Browse. * Update standards version to 4.4.1, no changes needed. * Set upstream metadata fields: Bug-Submit. * Update standards version to 4.5.0, no changes needed. * Apply multi-arch hints. + node-underscore: Add Multi-Arch: foreign. . [ Yadd ] * Mark autopkgtest as superficial * Fix arbitrary code execution and add a test (Closes: #986171) Checksums-Sha1: 8c5e6341b39ff1bd5cf10825a3008bd2f68df8af 2134 underscore_1.9.1~dfsg-2.dsc b44883f921b9f6262b8448715e4c07ff3bc32bb8 9296 underscore_1.9.1~dfsg-2.debian.tar.xz Checksums-Sha256: 6f5a65a34aad6897225efc69f927b513ae5947ab19b7dc5ed1badc41c8f40b58 2134 underscore_1.9.1~dfsg-2.dsc 630e76c4af563e1d4f86c5dd4f54434181174b06a90a5bac6db1ac734411f62e 9296 underscore_1.9.1~dfsg-2.debian.tar.xz Files: 0b89f870e91869eb8887b9c1c880299c 2134 web optional underscore_1.9.1~dfsg-2.dsc 6a0fbbe95672eb99fb19bf84091d7a0d 9296 web optional underscore_1.9.1~dfsg-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmBjjTwACgkQ9tdMp8mZ 7uldPQ//QwOzKUjvGVfHamzRY/r4aHzazbrUqdJBI/JOApGa4F1AoVmt95TQD0dy fsCmh1zhjMckk4cuFhUplXxgJvYzauhEHN5LZFqLeOTInYjxNZQN0M+bGZYDExoI VxyVGoUfgxRqQIPvmktr/ij/YqgJ3SxlhA9vtSRugLmLXyFUZss18oP1G4onuQbV 1t8+8jbCtk+uBo8bDptNjUEoqllEtCIc0MNt2xReZrC9LIXtVQ5yqHpX/x65DMK2 PEDGYaS9oVU4+QJdx1d0V9Q1727UY6UdicofAYmW+ICb8RaU9+JUr4kPHCa4n/gH Db6CWURZF2U5u7/+eb/LzYhrQcUqL81Gj3qTWV3C/lp3O3ePEULxUR6xnXDJR5Uk O+2RdP+SXfKIZDkhLKjoFR0PngheiprhxnNsZIFSNzo7RfBNv7tjdu89awHFddTD 6ua5ANILYcHAcYZDl9fTtvuhN4c+VZjm7O48CFBI4KUddcW5Hgifw1QCjetH/kQc cy4l7wuZChG2BhUx7Fqwd32PeVPWsZXgoFSScXSKIBe0rtvCiz0fztfCblstF+ea HhGHv5kvhAX+NvHJUQ/HhZjZuD4jDTW3dbzBEkINagdC4FGVu+soXE5EELn5IDoB 0wpgx4EbmA4ixTYF8o+MmLrlMGXx4nWwMbfa7hDSwVaFNQynjWw= =AE6G -----END PGP SIGNATURE-----
--- End Message ---
