Your message dated Sun, 29 Sep 2019 18:19:49 +0000
with message-id <e1iednr-000btu...@fasolo.debian.org>
and subject line Bug#941354: fixed in node-yarnpkg 1.13.0-3
has caused the Debian Bug report #941354,
regarding node-yarnpkg: CVE-2019-5448
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
941354: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941354
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-yarnpkg
Version: 1.13.0-2
Severity: important
Tags: security upstream
Control: found -1 1.13.0-1
Hi,
The following vulnerability was published for node-yarnpkg.
CVE-2019-5448[0]:
| Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive
| Data due to HTTP URLs in lockfile causing unencrypted authentication
| data to be sent over the network.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-5448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5448
[1] https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
[2] https://hackerone.com/reports/640904
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-yarnpkg
Source-Version: 1.13.0-3
We believe that the bug you reported is fixed in the latest version of
node-yarnpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 941...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paolo Greppi <paolo.gre...@libpf.com> (supplier of updated node-yarnpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Sep 2019 14:07:45 +0200
Source: node-yarnpkg
Architecture: source
Version: 1.13.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Paolo Greppi <paolo.gre...@libpf.com>
Closes: 941354
Changes:
node-yarnpkg (1.13.0-3) unstable; urgency=medium
.
* Forces using https for the regular registries (Closes: #941354)
Checksums-Sha1:
e86e705e5a439edad19cee9a8a9f7fec15f75a77 6798 node-yarnpkg_1.13.0-3.dsc
1a13a16eea7a27f37713fd2da1a2a22d1ab68a15 9964
node-yarnpkg_1.13.0-3.debian.tar.xz
a9a75ca0bf8391f4f27d903ae746049a44fce0c9 21268
node-yarnpkg_1.13.0-3_source.buildinfo
Checksums-Sha256:
af5f6d511a40b50435b8dc22464d7862b383dc02a12b6f8c7db6b0f076055d9b 6798
node-yarnpkg_1.13.0-3.dsc
187e46d946bb7856b9bb342ba36e4e32b19b1a020a3155f6f7d94c11540c4b50 9964
node-yarnpkg_1.13.0-3.debian.tar.xz
34aae1786871968671001ca9c9d30f4780088b06d217387e7415d90defd4b59a 21268
node-yarnpkg_1.13.0-3_source.buildinfo
Files:
f05e34281ef432089e5af138e0f69b13 6798 javascript optional
node-yarnpkg_1.13.0-3.dsc
1599ab9830293320628e783520db8307 9964 javascript optional
node-yarnpkg_1.13.0-3.debian.tar.xz
cf1b64d56b523acf8da5f202d80d01b7 21268 javascript optional
node-yarnpkg_1.13.0-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJLBAEBCgA1FiEEyTpTRBhTUv5T0mHqIjkMJVxGBPQFAl2Q8u0XHHBhb2xvLmdy
ZXBwaUBsaWJwZi5jb20ACgkQIjkMJVxGBPTXfQ//Q51sSmrFm3vLrehtt/SyXysz
j0SSvtbTvtrHWEyZVgVoyvJr6D+d7SaTlEdq2rVp+gS8eAcIXhk+dGLKJpr1JtO7
kQNcAYjcdFJc97KwqXdFXBM2JxEXOdZppSp2O8djhPKDsUsa4RNqtO3rMOOO014F
2EcHAT23EPXuboDi67SiS4dR8KaPMv5fYMpjX2L8t1/vkz4FHuEAl2vMHNpFO9o0
iImZIjRoTzBCACjBEf+K5RF7LmmyuxbO90YEvZ2WPCmkJvWQafUsoYpllLLHCkXB
Ry0SrXgkKs9C05pqguq06tbVv55x2C0S4bGuUkMJOVIvTqJmDa1hct6qvDqyNhn7
P9QTAPbeViYqskU5KGXBaO0hSIIzmmMgwdtDVA4HOR8q9fUIt9+Y1/otGkexRH4v
xdbU3nhx2E0McoiVDwxME1mXKcqeIDrbVX42/ba3CgJpM5cPozTrPMvhm2bN0L7e
9zRbak70yslUjIHTE2Yz4q83BQPpfALmv1gx7gp4VLf2ynf93NJqQF6qGLE/M1zc
D2MJQTnEdsKXmw5DqrAnn/2UUQmb8i8QhKTGNT1YVOBnC0zJEQfXXGWZxZbU4k75
mUJc/Gs/ntUziQALFhxh2QwjlhlA7fbRShGI8xDTuYafX93sKLUq9CfS/o1pVA67
O6rOKH0s01EDPbahsew=
=sdU9
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
