Your message dated Fri, 01 Oct 2021 18:47:08 +0000
with message-id <[email protected]>
and subject line Bug#994448: fixed in node-set-value 3.0.1-2+deb11u1
has caused the Debian Bug report #994448,
regarding node-set-value: CVE-2021-23440 - type confusion allows bypass of
CVE-2019-10747
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
994448: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994448
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: node-set-value
X-Debbugs-CC: [email protected]
Severity: important
Tags: security, upstream
Hi,
The following vulnerability was published for node-set-value.
CVE-2021-23440[0]:
| This affects the package set-value before 4.0.1. A type confusion
| vulnerability can lead to a bypass of CVE-2019-10747 when the user-
| provided keys used in the path parameter are arrays.
CVE-2019-10747 was reported as Debian bug 941189. [1]
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23440
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23440
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941189
Please adjust the affected versions in the BTS as needed.
--
Neil Williams
=============
https://linux.codehelp.co.uk/
pgpT0sPISmiZm.pgp
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: node-set-value
Source-Version: 3.0.1-2+deb11u1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-set-value, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-set-value package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 16 Sep 2021 18:17:19 +0200
Source: node-set-value
Architecture: source
Version: 3.0.1-2+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 994448
Changes:
node-set-value (3.0.1-2+deb11u1) bullseye; urgency=medium
.
* Team upload
* Fix prototype pollution (Closes: #994448, CVE-2021-23440)
* Add test for CVE-2021-23440
Checksums-Sha1:
518a0bd2597820093eac679e6d1cd0654991dbd8 2346
node-set-value_3.0.1-2+deb11u1.dsc
08e4fcb98437f818342239d03d88a357658ebcfc 23000
node-set-value_3.0.1-2+deb11u1.debian.tar.xz
Checksums-Sha256:
ec7a0f3a8ade45987bf24b0ae636eaa8044d75cd8e3b214e688051a2b14a3611 2346
node-set-value_3.0.1-2+deb11u1.dsc
f8e9b43d2408998b914245bf66d85a7f305d3d5fc541df57dbefa1241874b871 23000
node-set-value_3.0.1-2+deb11u1.debian.tar.xz
Files:
77a8dd22fe7eb98128772c1504c8705d 2346 javascript optional
node-set-value_3.0.1-2+deb11u1.dsc
76e5092060d7afb08751e06f67ad7262 23000 javascript optional
node-set-value_3.0.1-2+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmFWjaEACgkQ9tdMp8mZ
7un1bA//dXYuveZN3xSZeRo/PlpMmcAuuk60QtI0wh48nEw3BCNzP+VwOniK4alA
FS7EiLOP40ONHKCtf3weQZBI02yFsa87e40tM3OiYBC+U17eTKzrSRokSaxl7Nk8
08eg6MyzHw8KujPkk2gA1X0t2R87jcRakyMlUsheq622+Hag7VvNTav+JxPgOOP1
oTPQ9WK6cdeBvpq+Dj3xqjFpMsEkJ/qIw+KRRB4PtK7aBiURVtGLUDD/lxABcMYr
ieyJP2LBpN7Jcuyall0+hbpkIfkj6QEoLgG3XPlm5402bPg/IvHMaK4KuA0VSP4d
tYUq6Bi742QtwmN08PxxUu7y86mrZ1J2bx6JhvzYHVV7wWvGL3OBtFltm/mj0gFS
/RFsOjxO8605UorFs+63QT+MBkbUx80oYNUWpopb+b4EIepSU1S9nAD2wzRP2H15
f6hyUMzPCKpWjXDoRG+5LfdUtZ56x6sa4M3Jk6hHxbBYy7Lxf3PH+m4uMsJpeHwd
AKCjL/MCVE4NA5TiqxthIAw4CV/kSI/Z3GwnTud5JrQSqoZ4BD7DiXLZvpg7i9oT
JgsBa5cJaL89iwad7ejBX/ziApT400U/dDVGz5VQ+VmgVZ9D59FA27RybQweFI9T
hM9XZ8svRNZFeZiE1/QGnbpROdw8ZjiQa2vdVQOaI0JTCK0fCik=
=L4xp
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
