On Tue, Mar 30, 2021 at 11:00:00PM +0200, Yadd wrote:
> Le 30/03/2021 à 21:40, Salvatore Bonaccorso a écrit :
> > Source: underscore
> > Version: 1.9.1~dfsg-1
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > X-Debbugs-Cc: car...@debian.org, Debian Security Team
> > <t...@security.debian.org>,y...@debian.org
> >
> > Hi,
> >
> > The following vulnerability was published for underscore.
> >
> > CVE-2021-23358[0]:
> > | The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2
> > | and before 1.12.1 are vulnerable to Arbitrary Code Execution via the
> > | template function, particularly when a variable property is passed as
> > | an argument as it is not sanitized.
> >
> > [1] provides a POC to verify the issue.
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2021-23358
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
> > [1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
> >
> > Regards,
> > Salvatore
>
> Hi,
>
> here is a debdiff for buster including:
> * backport of upstream patch
> * autopkgtest file (tested)
Hi,
looks good! Please upload to security-master
Cheers,
Moritz
