Your message dated Tue, 13 Aug 2019 16:19:44 +0000
with message-id <e1hxzws-000g3r...@fasolo.debian.org>
and subject line Bug#933079: fixed in node-lodash 4.17.15+dfsg-1
has caused the Debian Bug report #933079,
regarding node-lodash: CVE-2019-10744
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
933079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933079
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-lodash
Version: 4.17.11+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/lodash/lodash/issues/4348
Hi,
The following vulnerability was published for node-lodash.
CVE-2019-10744[0]:
| Versions of lodash lower than 4.17.12 are vulnerable to Prototype
| Pollution. The function defaultsDeep could be tricked into adding or
| modifying properties of Object.prototype using a constructor payload.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744
[1] https://github.com/lodash/lodash/issues/4348
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-lodash
Source-Version: 4.17.15+dfsg-1
We believe that the bug you reported is fixed in the latest version of
node-lodash, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 933...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <y...@debian.org> (supplier of updated node-lodash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 13 Aug 2019 17:47:38 +0200
Source: node-lodash
Architecture: source
Version: 4.17.15+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Xavier Guimard <y...@debian.org>
Changed-By: Xavier Guimard <y...@debian.org>
Closes: 933079
Changes:
node-lodash (4.17.15+dfsg-1) unstable; urgency=medium
.
* Team upload
* Bump debhelper compatibility level to 12
* Update gbp.conf
* New upstream version 4.17.15+dfsg (Closes: #933079, CVE-2019-10744)
* Update debian/copyright
* Install in /usr/share/nodejs
* Update debian/clean
* Allow stderr output in autopkgtest "require" test. Fixes debci
* Remove LICENSE and README.md files in node-lodash-packages
Checksums-Sha1:
9362ab094e5613b50d92e988b2fb838cea497aa0 2588 node-lodash_4.17.15+dfsg-1.dsc
61f62ef33f5ff389f087ed5c489349093942dfb6 41560
node-lodash_4.17.15+dfsg.orig-lodash-cli.tar.xz
0ca1db622bca303a266fbc3abd9a6e82753e6223 600656
node-lodash_4.17.15+dfsg.orig.tar.xz
a523f337eb8e8f3eff5f7d7f6030aca1fb67e3d6 5400
node-lodash_4.17.15+dfsg-1.debian.tar.xz
Checksums-Sha256:
e59914bf14f90df3b06b1262109c4a49568c5384bdb90d26548bc58ee0c498ee 2588
node-lodash_4.17.15+dfsg-1.dsc
60211e46cf49a805fced79175317505a6337b440ea3e0e37a3b78ec7d3ce7366 41560
node-lodash_4.17.15+dfsg.orig-lodash-cli.tar.xz
72561c22a9d4d2ec1182285e28f80cd2db06facbd9ef069a0fc98e06e5c99428 600656
node-lodash_4.17.15+dfsg.orig.tar.xz
f87248affbee6b594092acf4b7519c132fe973d9455845d285db6de8f4363030 5400
node-lodash_4.17.15+dfsg-1.debian.tar.xz
Files:
7fe2561d015989f65c5fbb62363f796c 2588 javascript optional
node-lodash_4.17.15+dfsg-1.dsc
b2217589333a9b2e1dd198bdfa1f3948 41560 javascript optional
node-lodash_4.17.15+dfsg.orig-lodash-cli.tar.xz
fedbf4804767031ddc8d34f43bc37dbe 600656 javascript optional
node-lodash_4.17.15+dfsg.orig.tar.xz
4221804f94c6e7a19c62352d6045d1c7 5400 javascript optional
node-lodash_4.17.15+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl1S3ooACgkQ9tdMp8mZ
7ulY9g//SWWccQsGFhGOvf3Ny2te1UGy6qmjcg/snbKnH731ZxkG/KzkybZeK6dB
L2TJhaHwA1hjob5huQYTr0QNpuoLfGFR3MqPKE35ZCIrv3VD+DME+Z5lehqxZwVi
XmS6k+NI9V1NKsjGxp89s84NUWTYRp+CdAUB0WKEZX6sM8nb3XMvJqbs3E8YIDKe
JvvM7+tkz+hpm1hDx88BvVmvx7QtRdyyPIiDhw8Vs/584QbeIO49R1TqwsFL603V
6AocFpGTvwiEOvVWOqodQRg3Setomhubj9clwhnYWUaYhpQbwP8c5yHOpEePx784
thWqeFg88pDcIVv8kRGJmUXPw99UZj0PIRdh6ztrLOL3/MsUh+V+yGj4N9Dt7+cr
gBM39rN+tzlJAR9vpUfdXp9Ddf+8B/AdRGcdKPTB+4MdONsWNKNwWhdhKvR895ff
5o1cgXEiluhp3YepYIXOOnYDYmSzIa91AO3R7uBfqvYNDmvlPDpHDelSzCUf3ZCW
wkBDeCO3nWv+QQRVWhVOLDpe/5ARuxZ7mXKzdke+5Bej441XqT2d2ePTIB6Oxf/r
KegV2bBuToBCACpcP90L8hkHvNBKmR/kZ3gmGYR+5Rw5FgXSGZdXrTTT+9pTl4cc
CcbNermIX9AMEXhLVjaXY7nqRLaziA+YwCFZP8hbl/BRTWhpYyg=
=RfIV
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
