Your message dated Sat, 19 Sep 2020 10:02:09 +0000 with message-id <e1kjzh3-000bgs...@fasolo.debian.org> and subject line Bug#969668: fixed in grunt 1.0.1-8+deb10u1 has caused the Debian Bug report #969668, regarding grunt: CVE-2020-7729 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 969668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969668 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: grunt Version: 1.0.4-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.0.1-8 Hi, The following vulnerability was published for grunt. CVE-2020-7729[0]: | The package grunt before 1.3.0 are vulnerable to Arbitrary Code | Execution due to the default usage of the function load() instead of | its secure replacement safeLoad() of the package js-yaml inside | grunt.file.readYAML. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7729 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7729 [1] https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7 [2] https://snyk.io/vuln/SNYK-JS-GRUNT-597546 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: grunt Source-Version: 1.0.1-8+deb10u1 Done: Xavier Guimard <y...@debian.org> We believe that the bug you reported is fixed in the latest version of grunt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 969...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <y...@debian.org> (supplier of updated grunt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 06 Sep 2020 23:41:10 +0200 Source: grunt Architecture: source Version: 1.0.1-8+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Xavier Guimard <y...@debian.org> Closes: 969668 Changes: grunt (1.0.1-8+deb10u1) buster; urgency=medium . * Team upload * Use `safeLoad` for loading YML files via `file.readYAML` (Closes: #969668, CVE-2020-7729) Checksums-Sha1: 89ec0b7eb71181fd5d6f9d48f7a69e45a24d589e 2666 grunt_1.0.1-8+deb10u1.dsc f72cd96edd54e199e869f4acb1249c63ebc466f1 5128 grunt_1.0.1-8+deb10u1.debian.tar.xz Checksums-Sha256: 4bfaa6f9cf1b14a0769c7726d45de2a8ff611fd4bd4c888a8395d19491c8cad2 2666 grunt_1.0.1-8+deb10u1.dsc 1f3e964e6503e96606dec314436990ac4953db20156bba9978bc2a1a9bef40da 5128 grunt_1.0.1-8+deb10u1.debian.tar.xz Files: ecc1c3d7a49f498513e45796442d3737 2666 javascript optional grunt_1.0.1-8+deb10u1.dsc bcb407cac6eb3f2000fbf31dae4ade21 5128 javascript optional grunt_1.0.1-8+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl9kNL4ACgkQ9tdMp8mZ 7ukZsg//dwbQBitsJ9BlmaqQfNVK9BFSJ9IYP7LZzy6j4hxubgq01fyUk6RXthKQ vp7bDjERcGZvyr7pLEYPtiVYpqR1PoNvGmJyUvjr9eQhL0z4Q/eQ3zvMwDrEheGP j8XcHR6Fxf3q/V7FmTv/kWyTRs3/I5Lmr7amFVqyjTfHykE47D3q1NT+zEapEgMl BJ6AC44m6UR3LDQwClE8atbU0/8UYRHRb9PoXZLGOhr1TwT0z+TRQLQ5oxQ4xJ4I szUvPZ7h9P7GEdgN4qV/gtiYi3KGhj3nr0E8cYeLLz4d8zWcbCg4Yq3rK+TdO7Qw h2SyDVjN5MTnO2MpMqGy6msKiJRgd4ZyR19m8uWXH26mQEQ2cS3LLqx1jj/WHMbU eZVBgX3sW/JrJ3IncghOlhNbd1KC1vOw3K/mROL8X46KKhdX4nWmlkNRXSkPpFyK v5+1pTdBg+tA+D8JjeYQ+VEUWKaHsr4DfXcFEyFttOA/1Q0ivR/6gSC4Tw3K3Och lCHu3L9Xrt6Sky+hWianAE1xnOcljVpy/cDB6MH4Y9Z7LOlVAdI9gFwwe7MbJ0Cx MJjhQQKoG2hDp9fmCOUVnCV8Oe4S/5SxvLAIECsRNeU5uisThYoLAB5VnlUHIFhs PIP+ZOhGhdJ0ndfNp3UWeztLmsE87sbT4t2cLzeLwPuv46ckWVg= =gqmz -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
