Your message dated Sun, 25 Aug 2019 14:27:34 +0000
with message-id <e1i1tuu-00060d...@fasolo.debian.org>
and subject line Bug#933079: fixed in node-lodash 4.17.11+dfsg-2+deb10u1
has caused the Debian Bug report #933079,
regarding node-lodash: CVE-2019-10744
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
933079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933079
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-lodash
Version: 4.17.11+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/lodash/lodash/issues/4348
Hi,
The following vulnerability was published for node-lodash.
CVE-2019-10744[0]:
| Versions of lodash lower than 4.17.12 are vulnerable to Prototype
| Pollution. The function defaultsDeep could be tricked into adding or
| modifying properties of Object.prototype using a constructor payload.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744
[1] https://github.com/lodash/lodash/issues/4348
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-lodash
Source-Version: 4.17.11+dfsg-2+deb10u1
We believe that the bug you reported is fixed in the latest version of
node-lodash, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 933...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <y...@debian.org> (supplier of updated node-lodash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 13 Aug 2019 19:02:17 +0200
Source: node-lodash
Architecture: source
Version: 4.17.11+dfsg-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Xavier Guimard <y...@debian.org>
Closes: 933079
Changes:
node-lodash (4.17.11+dfsg-2+deb10u1) buster; urgency=medium
.
* Team upload
* Fix prototype pollution (Closes: #933079, CVE-2019-10744)
Checksums-Sha1:
a36bf0e99d766da71ff02b3c9e93af49b4dc3ee6 2326
node-lodash_4.17.11+dfsg-2+deb10u1.dsc
96b6f4bdc2b19eedfbc5f46aab952144537b661d 54912
node-lodash_4.17.11+dfsg-2+deb10u1.debian.tar.xz
Checksums-Sha256:
853ef34664dc346efd072d0756f8837156652b398196f6648218a0011fcf8180 2326
node-lodash_4.17.11+dfsg-2+deb10u1.dsc
74a16b439f464baf2544d097161de98c868db29ba305a25ce974a37b362de897 54912
node-lodash_4.17.11+dfsg-2+deb10u1.debian.tar.xz
Files:
159ff3db36cdedefa238773fe388876b 2326 javascript optional
node-lodash_4.17.11+dfsg-2+deb10u1.dsc
d0be5c7ecbff072cd793f61033e77079 54912 javascript optional
node-lodash_4.17.11+dfsg-2+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl1fdDgACgkQ9tdMp8mZ
7um54A/+PUgQ6BBk6HXTvXyuQE1hnedf1hoMRRIBj6VnpCuJfPCJ2t1OTcMbsKuq
CAgOfYrzEgHYpvF1jxvWC1ni1sF9ZInlT8PRuX1NIA9WczF92Z1kHuDhZKnmLBQX
YS7MNuqCG4cUUiG90HmMZZYCPNjApy4FhQ0q+rC5ZRHLwo24lsRQektIWUVtQ3WL
4MwJp9YZj0XNs/CHuIfV0yfOR4iwfexZhvXpize+atlDEQogCSL9dplijfvhGWac
vE6rYzsqpWZQWptZJbWe0+/KG9V+im1VtBVDDg5p//AiHuz+vElDGHiu0PeRxMdd
1QSpFW7wup3obOPiksaMqGFw8ztcKMrx+1bnl1BPequ8tQ1oc2zY0LLQYhv8zds+
HlDCTpcsnV5N5GzKsAdMYqYdYi/+o67Z9aEickDR9i57Fe6csnXx223JGj3M+KwV
noOVljngTT/lXbycqnt3csTX6PFewxkx3yUl0CevGiYYubJ2UK7694rnM5CF2AXZ
S5zJaJrFqOSSfFoj0/nkb+2JeTsQ1zEMXAxUJuliRNdKgzJgIgE6w9K+gXFDEdqD
MhTkiod8ltyEA4WEctYdfijapCCRgrs1AbAV3+2+01bu4X9uObIk19gRhD19E8hr
kpeiV9l1CGvnj6QzZX2LffjVMBN8CJxQ5bv18KQxYRC5Rs3Qrbg=
=9Ki/
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
