Your message dated Sun, 06 Sep 2020 21:48:46 +0000
with message-id <e1kf2wk-000573...@fasolo.debian.org>
and subject line Bug#969668: fixed in grunt 1.3.0-1
has caused the Debian Bug report #969668,
regarding grunt: CVE-2020-7729
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
969668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969668
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: grunt
Version: 1.0.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1.0.1-8
Hi,
The following vulnerability was published for grunt.
CVE-2020-7729[0]:
| The package grunt before 1.3.0 are vulnerable to Arbitrary Code
| Execution due to the default usage of the function load() instead of
| its secure replacement safeLoad() of the package js-yaml inside
| grunt.file.readYAML.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7729
[1]
https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7
[2] https://snyk.io/vuln/SNYK-JS-GRUNT-597546
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: grunt
Source-Version: 1.3.0-1
Done: Xavier Guimard <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
grunt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 969...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <y...@debian.org> (supplier of updated grunt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Sep 2020 23:31:45 +0200
Source: grunt
Architecture: source
Version: 1.3.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Xavier Guimard <y...@debian.org>
Closes: 969668
Changes:
grunt (1.3.0-1) unstable; urgency=medium
.
* Team upload
* Bump debhelper compatibility level to 13
* New upstream version 1.3.0 (Closes: #969668, CVE-2020-7729)
* Refresh patches
Checksums-Sha1:
d23772e031951952a62aaf1f4166faddfa8735cc 2220 grunt_1.3.0-1.dsc
217209ab71daec95c9c72159010c6c3c17866ee8 51910 grunt_1.3.0.orig.tar.gz
9db0d71588553b3ff4fc7f0bf9eb65c156ea8460 4624 grunt_1.3.0-1.debian.tar.xz
Checksums-Sha256:
fa0fc940ca3fc58175c09c9872879ae7c60140bc47d85e8c7f30de9bbd2ddba8 2220
grunt_1.3.0-1.dsc
0be24d5a20b18a5086bf8c23d4dc5da4a3ef3913198d4f09a48d4dde415d0edf 51910
grunt_1.3.0.orig.tar.gz
5ae42f11f5dec45c65351538fda7e34a6529289205f08f6757244b06703d9cbb 4624
grunt_1.3.0-1.debian.tar.xz
Files:
e50ca68dd7116bfec4c9e905d3f478fb 2220 javascript optional grunt_1.3.0-1.dsc
9e15057b66b8e5b9164bc7855f149cd6 51910 javascript optional
grunt_1.3.0.orig.tar.gz
4a7df3c68df0a7b596f91780ba87eff9 4624 javascript optional
grunt_1.3.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl9VVbcACgkQ9tdMp8mZ
7untIg//ReMk2C2TDqjROAEs2SSt+n0T9/mG8DAWPuT9XpguRNxLMZIxOK6yvyj4
CnRLsMU0XOFzVZmDyU9+7TIKUEJZXE98D8HU0Y0dw0fVQCNkGZbcQBFFhZTLFGDi
4iVw0v/A3+RZ0tSNRsPs9/AOTDAr+vZtTuuhcp/OPw/8zi1L/Q4KejMG1pXt4n/Y
GsMDZ3Tz7K/0jJjk5kLZ2/QXWJWnvPdP8l1ZaSvtKXmo7kRQfVYJ6vSpx51yJzuE
ML9Xi3gl6+KgqTHuhWw6Wkypi2F/3MxumfuHTtva9rhe7sR79hSRodceg+Ok79wD
E1+RguNG4rTakIxSawIAyF5BIoJjqjqVqihgufqtCkhdrXWcfqiFpQWVfKb1vLnQ
+pRwKwUuAgBHxSNadn685hIOges+KRKuK63h/ezW10frils40RCYdnMYsiKIEn+u
DJp7GQp1c9gd8s0cb0AH5vKGyRFKCCZLOlaGarbv6oJu52GgtCfj3sGvTOdIxF93
XRjQ2zwikLx1HhEWQOGa+J3+FMfGtcMGM4RkkPsN6pVawlb/Cb5PYawhvGEBRJJ3
h1E3nFYTFZ7c4h7U0yX/odAjbPILZQHN6rTsm3OVKxKH2xEZUC95xIcEiej5/T0b
pd+6m/QSx/WIeTVvpjspGxh3UF8uhNodWphC8v1ESAn5wTz8iKk=
=HOZw
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
