Your message dated Thu, 09 Jan 2020 17:20:38 +0000 with message-id <e1ipbu6-0006j5...@fasolo.debian.org> and subject line Bug#947127: fixed in npm 6.13.4+ds-1 has caused the Debian Bug report #947127, regarding npm: CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 947127: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947127 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: npm Version: 5.8.0+ds6-4 Severity: important Tags: security upstream Hi, The following vulnerabilities were published for npm. CVE-2019-16775[0]: | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary | File Write. It is possible for packages to create symlinks to files | outside of thenode_modules folder through the bin field upon | installation. A properly constructed entry in the package.json bin | field would allow a package publisher to create a symlink pointing to | arbitrary files on a user&#8217;s system when the package is | installed. This behavior is still possible through install scripts. | This vulnerability bypasses a user using the --ignore-scripts install | option. CVE-2019-16776[1]: | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary | File Write. It fails to prevent access to folders outside of the | intended node_modules folder through the bin field. A properly | constructed entry in the package.json bin field would allow a package | publisher to modify and/or gain access to arbitrary files on a | user&#8217;s system when the package is installed. This behavior | is still possible through install scripts. This vulnerability bypasses | a user using the --ignore-scripts install option. CVE-2019-16777[2]: | Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary | File Overwrite. It fails to prevent existing globally-installed | binaries to be overwritten by other package installations. For | example, if a package was installed globally and created a serve | binary, any subsequent installs of packages that also create a serve | binary would overwrite the previous serve binary. This behavior is | still allowed in local installations and also through install scripts. | This vulnerability bypasses a user using the --ignore-scripts install | option. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16775 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775 [1] https://security-tracker.debian.org/tracker/CVE-2019-16776 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776 [2] https://security-tracker.debian.org/tracker/CVE-2019-16777 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: npm Source-Version: 6.13.4+ds-1 We believe that the bug you reported is fixed in the latest version of npm, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 947...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <y...@debian.org> (supplier of updated npm package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 09 Jan 2020 17:51:19 +0100 Source: npm Architecture: source Version: 6.13.4+ds-1 Distribution: experimental Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Xavier Guimard <y...@debian.org> Closes: 904422 914510 947127 Changes: npm (6.13.4+ds-1) experimental; urgency=medium . * Team upload . [ Pirate Praveen ] * Drop myself from uploaders . [ Manas Kashyap ] * ip-regex module added in dependency as its packaged * New upstream version 6.10.3+ds * added node-yargs-parser and node-yargs in dependency list * added ajv,yallist,y18n,xtend,xdg-basedir,wrap-ansi in dependency list * added node-widest-line, node-wide-align, node-which-module, node-verror, node-uuid, node-util-deprecate, node-url-parse-lax, node-unique-string, node-uid-number, node-typedarray, node-tweetnacl, node-tunnel-agent, node-tough-cookie, node-timed-out,node-through, node-through2, node-term-size, node-tar-stream in the dependency list * typo error * added node-supports-color, node-strip-json-comments, node-strip-eof, node-string-decoder, node-string-width, node-strict-uri-encode, node-stream-shift, node-stream-iterate, node-stream-each, node-sshpk,node-spdx-license-ids in the dependency list * removed node-gyp from the node_modules as its added in dependency * removed node-wcwidth from node_modules * removed node_modules of s alphabets that are in debian archive now * removed r alphabets node_modules which are available in debian archive * qs node_modules removed . [ Xavier Guimard ] * Refresh patches * Remove 3 patches included in upstream * Bump debhelper compatibility level to 12 * Declare compliance with policy 4.4.1 * Add "Rules-Requires-Root: no" * New upstream version 6.13.4+ds (Closes: #904422, #947127) * Remove all modules that already exists in Debian and update dependencies (Closes: #914510) * No more generate HTML doc (missing dependencies) * Update lintian overrides * Enable part of tap test during autopkgtest only (network access attempt) * Update debian/clean * Update copyright * Install only relevant manpages Checksums-Sha1: 2dc834e97564bad2eb9ff5a414ec9729b1656e86 6717 npm_6.13.4+ds-1.dsc 3e2d26c4f2baf8e0281b986268a73d4842ab69da 1428080 npm_6.13.4+ds.orig.tar.xz a9573aa0b92cb1518e103fe97a9dc700d506e6f3 30752 npm_6.13.4+ds-1.debian.tar.xz Checksums-Sha256: 2c0ccee756526a83fc4cdab5a0b68aa59fe0e499c2af13db0de9b6d52e32561c 6717 npm_6.13.4+ds-1.dsc be6ca1906af890ac123dde97f7af410d06adc9b5fab90c6857c127051c1c5c5e 1428080 npm_6.13.4+ds.orig.tar.xz 25ac60a176e98bc7e5dc7c24d91b79e98cc15dbde3d83c34d0410adbea115a1a 30752 npm_6.13.4+ds-1.debian.tar.xz Files: 889c396b2e3f8eef1f5b13fda0c59313 6717 javascript optional npm_6.13.4+ds-1.dsc 7d6d9f08d81d56716e2914be515e8468 1428080 javascript optional npm_6.13.4+ds.orig.tar.xz ce172b841d14702d07824093b8faab60 30752 javascript optional npm_6.13.4+ds-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl4XXP8ACgkQ9tdMp8mZ 7umLTA/9Fa1tcVUaOx7TcAHIm0NcRqLbLncWGOwpjcKWiFP+3+PA1gTlzYRi0rbI +tq+8ju6zuvRqB7IU6xStcmzTOF74AUUteI9gsDvineRcLsymcnEQoGk2nFIgrfu K+cIAM0Yj6krG+2VM9O5rXgeNMxbYiiPsv86RgTvJeDDSMiG/rrzLgALXJ2ko0kM kP5CewYQcN/AqzRtJZ08ynM4PhxXzbG2+RkKWNX9hm/CoWl0kff23Dc42HKFHLjS pi+W1ynnrZybZoin+jFASa3hDOsFOB8M/3AcUMapGILQ5WI4zHYqI/PBiusSt92a r9GezhkzMZ8B9lTqsm/ORF6qNaK4T27MLgjJD6i9U6OBNCOTLcyF3wUBWi+WahKi rYDRXtRLPIq+1O/ipIQ7LeScRwjoaA12zfPvjF0tf6HLsoQmi/CmPo/3onx53wsv 9cktQfKtswM+Vxkflf1WwJQB8mVWdaZgVHog71Y8p/txmftyopai9c9t7bb0a7Kg GHIZIE+qfdrsswf7kxagnodSv/2F9PLwVBZpl+oXaersjOdopgVu5V+sHa8RCpUu JfnnkpWsWQSdTkg03iy7M9GHztRODhC0xFaTjL2DK+pvavV4yfKlVoYBRck9ixkx 3KPMcl3VAICgei44ZU8F4DptD820WjIZICLMqKWTUosWAmjOcVU= =4n2v -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
