Your message dated Sat, 05 Dec 2020 11:11:25 +0000 with message-id <e1klvtj-00040r...@fasolo.debian.org> and subject line Bug#976446: fixed in highlight.js 9.18.1+dfsg1-3 has caused the Debian Bug report #976446, regarding highlight.js: CVE-2020-26237 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 976446: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976446 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: highlight.js Version: 9.18.1+dfsg1-2 Severity: important Tags: security upstream Forwarded: https://github.com/highlightjs/highlight.js/pull/2636 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 9.12.0+dfsg1-4 Hi, The following vulnerability was published for highlight.js. CVE-2020-26237[0]: | Highlight.js is a syntax highlighter written in JavaScript. | Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to | Prototype Pollution. A malicious HTML code block can be crafted that | will result in prototype pollution of the base object's prototype | during highlighting. If you allow users to insert custom HTML code | blocks into your page/app via parsing Markdown code blocks (or | similar) and do not filter the language names the user can provide you | may be vulnerable. The pollution should just be harmless data but this | can cause problems for applications not expecting these properties to | exist and can result in strange behavior or application crashes, i.e. | a potential DOS vector. If your website or application does not render | user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 | and newer include fixes for this vulnerability. If you are using | version 7 or 8 you are encouraged to upgrade to a newer release. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-26237 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26237 [1] https://github.com/highlightjs/highlight.js/pull/2636 [2] https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: highlight.js Source-Version: 9.18.1+dfsg1-3 Done: Xavier Guimard <y...@debian.org> We believe that the bug you reported is fixed in the latest version of highlight.js, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 976...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <y...@debian.org> (supplier of updated highlight.js package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 05 Dec 2020 11:50:14 +0100 Source: highlight.js Architecture: source Version: 9.18.1+dfsg1-3 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Xavier Guimard <y...@debian.org> Closes: 976446 Changes: highlight.js (9.18.1+dfsg1-3) unstable; urgency=medium . * Team upload * Fix prototype pollution (Closes: #976446 CVE-2020-26237) * Move transitional packages libjs-highlight, node-highlight to oldlibs/optional per policy 4.0.1. * Declare compliance with policy 4.5.1 * Change section to javascript * Add ctype=nodejs to component(s) Checksums-Sha1: fe7d576b636cd943623810a22f0ec3bf283fd687 3041 highlight.js_9.18.1+dfsg1-3.dsc 6dc1914d175d9c362a999e6b07ef80da075922ca 199188 highlight.js_9.18.1+dfsg1-3.debian.tar.xz Checksums-Sha256: cee2d19f96332ea38e08c921e44c9e3c44fd35f0fe4cf8faf2dfa082f8bd2ba4 3041 highlight.js_9.18.1+dfsg1-3.dsc 711d133fb156992c9fdb54ec29cb8e371ec8915ea3ab5250ade4452ec636c49e 199188 highlight.js_9.18.1+dfsg1-3.debian.tar.xz Files: 35d263ab7fbe04f82b9fbebadff09003 3041 javascript optional highlight.js_9.18.1+dfsg1-3.dsc d575356a234070fde5d63dbdd3aa67c6 199188 javascript optional highlight.js_9.18.1+dfsg1-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl/LZn0ACgkQ9tdMp8mZ 7ukQgA/+KjX9lzfPJ0XlRiHXr2gjNrjR3yQ9BBZ0BDAKHBeQA2iNop15fJP0z/pe WiZRjtIgUXHHyxg2mFeAJG9VWXZp0Opg/d6RyL2UR6r2i8SSP/BV/6Nawr0Gdjnu xr9CAAm9Gd4R/THqJwZ0+Je4IpgOHXx8Hd052fyGJAZXzfCElCUWIYfRpsizNuYf Jm8uAJW57Jh4Qbg7IovkcETDzNzfWgsUENSILEpNHCXCeLMdg1rYq4SglpBFMnDO eX4ueezgr9rElYQ1Wa/1zlZ5yrsx6EOJkg8SkHc3keXDnnq1bjc+vBmXD5GikaED SYiEGnj9/dUTa1heZCjOsNpkJ06IRA+9eUhNO3UF5zdkHw9TOao4hZ9OjAXRhdmK 86GmIXxvFVib5MDJT27GXFEZ+nnOzTcKZYBSSd9E7Js1KbBtrYFcjwb+C0Py4D75 87PGSt0plGtPq3a+xVMSQGGuO8C3k5zg7+3Kcf/3OTP+eFKl9Pp8InorkwMwzdUR +dtsJkDNRPqzW8nogCThPJZKrJqb22PBQRT/zfiSWjL6BuEij59Jgjuavngfg8BT dpdtay75S6+gIwa+Pm974DcvhJ97dKKo5QvdSFhGHZeZgF/bTW6V7iFNCKfAUYcC FNnV+h0ZLYpUi7sYyoKwZnv3xlQxLixVgZZYFxhSJBg9Q+DcedA= =6431 -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
