[Pkg-javascript-devel] Bug#1034148: marked as done (node-xml2js: CVE-2023-0842)

Fri, 21 Apr 2023 00:39:16 -0700 

Your message dated Fri, 21 Apr 2023 07:34:03 +0000
with message-id <e1pplhp-007uym...@fasolo.debian.org>
and subject line Bug#1034148: fixed in node-xml2js 0.4.23+~cs15.4.0+dfsg-5
has caused the Debian Bug report #1034148,
regarding node-xml2js: CVE-2023-0842
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1034148: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034148
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: node-xml2js
Version: 0.4.23+~cs15.4.0+dfsg-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/Leonidas-from-XIV/node-xml2js/issues/663
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for node-xml2js.

CVE-2023-0842[0]:
| xml2js version 0.4.23 allows an external attacker to edit or add new
| properties to an object. This is possible because the application does
| not properly validate incoming JSON keys, thus allowing the __proto__
| property to be edited.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-0842
    https://www.cve.org/CVERecord?id=CVE-2023-0842
[1] https://github.com/Leonidas-from-XIV/node-xml2js/issues/663

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: node-xml2js
Source-Version: 0.4.23+~cs15.4.0+dfsg-5
Done: Yadd <y...@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-xml2js, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-xml2js package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 21 Apr 2023 11:11:13 +0400
Source: node-xml2js
Built-For-Profiles: nocheck
Architecture: source
Version: 0.4.23+~cs15.4.0+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1034148
Changes:
 node-xml2js (0.4.23+~cs15.4.0+dfsg-5) unstable; urgency=medium
 .
   * Team upload
   * Update standards version to 4.6.2, no changes needed.
   * Update nodejs dependency to nodejs:any
   * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
Checksums-Sha1: 
 50935cbfb256005fdb911716813dac0d7d4e43ea 2859 
node-xml2js_0.4.23+~cs15.4.0+dfsg-5.dsc
 5a88b48054f5e23a61a6922954687ec12bc7d1ee 8068 
node-xml2js_0.4.23+~cs15.4.0+dfsg-5.debian.tar.xz
Checksums-Sha256: 
 abba93c97d10a50e174341b70100ed55d95ca210dc6aee1c01b5a44b50e86542 2859 
node-xml2js_0.4.23+~cs15.4.0+dfsg-5.dsc
 288017cb88bb59a2e2de82dea9af7ba764f1b4e58ec937f3cdf7f8dee3bffda7 8068 
node-xml2js_0.4.23+~cs15.4.0+dfsg-5.debian.tar.xz
Files: 
 a4a8e10264d4d31d73adf4416c051857 2859 javascript optional 
node-xml2js_0.4.23+~cs15.4.0+dfsg-5.dsc
 211f27cf1d9340c8d74c66ed449ce6c6 8068 javascript optional 
node-xml2js_0.4.23+~cs15.4.0+dfsg-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmRCN4gACgkQ9tdMp8mZ
7umFnQ/+PBPIHkLRx4pjpkDLXLAmTtSO6bCOUXz4XSIzAivFwUp0l3xkIVb/qDtp
gcSy5++x+ty4KPRapFHKS/gy6evkXm6CZUm5AnfezHoxnJvit77L7ZcgtkpIA8pA
yjvV/AZdBroVupVA9N/FCmjSNc1cZdcA91g40Xm1AD+3cKg16zTONT10lv6uART1
4l0YpwGerPgLIUjOCdlhGsmY+NqhBZ40oPpkdO/o1N8Eft2/1ZP/JjI2FHz/LupM
7N3E7EBj+QUsTOOl8XJJi4XeOOwzxesDOdDeKjYInCg6S9VXwxIObxVEv/V5tRE6
I/YVr6U8u/z8TQ5Kpc+29MTaO/ryjBwUjBz10LeWlhMGnlBo7GSSD/ISnaRkNs5B
kOCpY0YgvQIw3JQFO/zZ4KRf1UtHiTK0mauf4kbqu1T+WCe8TSbZvzAhiqsG6xKq
/hjtaHWbRrD4JGVa+F1lVnIeCBcWBmVYewx8ggpCwIJlNLw3m4fa4yRIvBr5dO4j
k4pSC3Fvxq88PRp2HddvUaV1buPYncf3/4K9UylQCU7z7ZCvY28RDRDajf5xQwug
OQxKgQjFC/UrLMVPKrxfcoSqjQwhOUe13d6kDMH/2epMfnv8d80xmTjeeMuq6qGf
T3AUm7ztUBiaCLalgCV6Q3BTNeljboLDSwHICiRNP6Wy5cxupEE=
=NRIZ
-----END PGP SIGNATURE-----

--- End Message ---
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to