Le 21/12/2019 à 17:23, Salvatore Bonaccorso a écrit : > Source: npm > Version: 5.8.0+ds6-4 > Severity: important > Tags: security upstream > > Hi, > > The following vulnerabilities were published for npm. > > CVE-2019-16775[0]: > | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary > | File Write. It is possible for packages to create symlinks to files > | outside of thenode_modules folder through the bin field upon > | installation. A properly constructed entry in the package.json bin > | field would allow a package publisher to create a symlink pointing to > | arbitrary files on a user’s system when the package is > | installed. This behavior is still possible through install scripts. > | This vulnerability bypasses a user using the --ignore-scripts install > | option. > > > CVE-2019-16776[1]: > | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary > | File Write. It fails to prevent access to folders outside of the > | intended node_modules folder through the bin field. A properly > | constructed entry in the package.json bin field would allow a package > | publisher to modify and/or gain access to arbitrary files on a > | user’s system when the package is installed. This behavior > | is still possible through install scripts. This vulnerability bypasses > | a user using the --ignore-scripts install option. > > > CVE-2019-16777[2]: > | Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary > | File Overwrite. It fails to prevent existing globally-installed > | binaries to be overwritten by other package installations. For > | example, if a package was installed globally and created a serve > | binary, any subsequent installs of packages that also create a serve > | binary would overwrite the previous serve binary. This behavior is > | still allowed in local installations and also through install scripts. > | This vulnerability bypasses a user using the --ignore-scripts install > | option. > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-16775 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775 > [1] https://security-tracker.debian.org/tracker/CVE-2019-16776 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776 > [2] https://security-tracker.debian.org/tracker/CVE-2019-16777 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore
After discussion with security team, these vulnerability are tagged as no-dsa. Then I'll propose an update for next point release. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
