Control: tags -1 + security Le 08/04/2019 à 00:22, Jeff Cliff a écrit : > Package: node-deep-extend > Version: 0.4.1-1 > Severity: important > > Dear Maintainer, > > As per the ubuntu bug report: > > from https://snyk.io/vuln/npm:deep-extend:20180409 : > > deep-extend "all the listed modules can be tricked into modifying the > prototype of "Object" > when the attacker control part of the structure passed to these function." > > This is verifiably true on at least buster, given the PoC listed in the above > URL, but > since it's the same deep-extend in sid, it's probably the same there. > > The following commit apparently fixes this: (though I haven't verified that) > > https://github.com/unclechu/node-deep-extend/commit/433ee51ed606f4e1867ece57b6ff5a47bebb492f
Hello, this issue is referenced here in https://security-tracker.debian.org/tracker/CVE-2018-3750 and marked as "unimportant" The commit that fix this is: https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703 -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
