Your message dated Wed, 26 Jul 2023 20:32:08 +0000
with message-id <e1qolb2-006kym...@fasolo.debian.org>
and subject line Bug#1040592: fixed in node-dottie 2.0.2-4+deb12u1
has caused the Debian Bug report #1040592,
regarding node-dottie: CVE-2023-26132
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1040592: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040592
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-dottie
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-dottie.
CVE-2023-26132[0]:
| Versions of the package dottie before 2.0.4 are vulnerable to
| Prototype Pollution due to insufficient checks, via the set()
| function and the current variable in the /dottie.js file.
https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-26132
https://www.cve.org/CVERecord?id=CVE-2023-26132
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-dottie
Source-Version: 2.0.2-4+deb12u1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-dottie, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1040...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-dottie package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Jul 2023 08:43:00 +0400
Source: node-dottie
Architecture: source
Version: 2.0.2-4+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1040592
Changes:
node-dottie (2.0.2-4+deb12u1) bookworm; urgency=medium
.
* Team upload
* Fix prototype pollution (Closes: #1040592, CVE-2023-26132)
Checksums-Sha1:
fb9ce8660b4774b3aa169fed29ab751051c19381 2073 node-dottie_2.0.2-4+deb12u1.dsc
9bd4b1087eb9280af27aca26a510479dcfe59426 3464
node-dottie_2.0.2-4+deb12u1.debian.tar.xz
Checksums-Sha256:
fc21913feebfba31189a418933d8cf40c6396092bd1ca8a9159913fbfaea5e92 2073
node-dottie_2.0.2-4+deb12u1.dsc
b3dd4c19c315d8a83eaec8342e3cd30ff32d5586f76590c98628fdc33f10ccef 3464
node-dottie_2.0.2-4+deb12u1.debian.tar.xz
Files:
90d8e76685aee7bde9fd7134d8cf073c 2073 javascript optional
node-dottie_2.0.2-4+deb12u1.dsc
f6d5e0fee8b69839e086cd3e58ef46ff 3464 javascript optional
node-dottie_2.0.2-4+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmSuIcsACgkQ9tdMp8mZ
7ukDxQ//YtX+xX7zxYi8ObRmsqhaqRN/67WRPsKAC6PdCsVGF+66ItyN6ladbFyp
Sa2PEO3TmP89v6KxHG7a33xpO8wBOB75ec+YwfS9lp05owViFhExrHCTsgznlyEK
JcwdNItY2gooZfZYCHRM0lPYfvkuZJY5mfs5Z1CNPjIr+Z33xFSi1uJV7aPWdmBJ
/mlKHQdJxEpcgPD8pswwRnuceVk+8DOuHAAEyiVDEB5p5hi7YEn242knyQgi72IM
eaDyArsYdEw6AI0D5s3vhv+gYzr+FPeDpXrEzFRajfv68/WVC2c5jHf94cLd180R
8822rV96devayDHRhoV0fjWDR7uql5ksdCfslsqNRaAJaJORRPmXLHvRzZdfAvbe
5uhL3pjtwElSAIXbuy1jhydrrMzBUPzyKFnmZ1juKBfoOQknAWPlP3oLm6rmY+3r
XX5xgogsM+aGzUgkROicOUCVR6n1xQb0jTdjn3Aw8Pajek25YM0ki1I+nsGDxhxx
EcUCmBEC/uRbURXYfBajWGhQKH+Jt3kkvbfGBOacbjCsAbPpokddbdPMlagTLzRZ
X68l0+M1ikL2xMHFEmdfE+vdA+iWjY1hvmelEBXkRTCpGjjtSIQHo1kXY11CI98m
iMBct8PAJxT5wneSLVrjzJm2wnc9PF/EkrRLLxMzI7s3/SkWxDc=
=mzFp
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
