Your message dated Sun, 08 Mar 2026 13:13:29 +0000
with message-id <[email protected]>
and subject line Bug#1129097: fixed in node-dottie 2.0.7+~2.0.7-1
has caused the Debian Bug report #1129097,
regarding node-dottie: CVE-2026-27837
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129097
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-dottie
Version: 2.0.6+~2.0.5-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-dottie.
CVE-2026-27837[0]:
| Dottie provides nested object access and manipulation in JavaScript.
| Versions 2.0.4 through 2.0.6 contain an incomplete fix for
| CVE-2023-26132. The prototype pollution guard introduced in commit
| `7d3aee1` only validates the first segment of a dot-separated path,
| allowing an attacker to bypass the protection by placing `__proto__`
| at any position other than the first. Both `dottie.set()` and
| `dottie.transform()` are affected. Version 2.0.7 contains an updated
| fix to address the residual vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27837
https://www.cve.org/CVERecord?id=CVE-2026-27837
[1]
https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w
[2]
https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-dottie
Source-Version: 2.0.7+~2.0.7-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-dottie, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-dottie package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 08 Mar 2026 13:27:21 +0100
Source: node-dottie
Architecture: source
Version: 2.0.7+~2.0.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1129097
Changes:
node-dottie (2.0.7+~2.0.7-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.3
* Drop "Rules-Requires-Root: no"
* debian/watch version 5
* New upstream version (Closes: #1129097, CVE-2026-27837)
Checksums-Sha1:
500359442036184992e3f117eb16370792b02ffb 2398 node-dottie_2.0.7+~2.0.7-1.dsc
a5b14391b4bac4091fd9b2bc1c32b35fde9b7928 2560
node-dottie_2.0.7+~2.0.7.orig-types-dottie.tar.xz
0ffae6c2d2fcc694afc3278b9bff1865415c0977 15588
node-dottie_2.0.7+~2.0.7.orig.tar.xz
193d101f31dc94ce80b9393a95ab08353c0b2adc 2792
node-dottie_2.0.7+~2.0.7-1.debian.tar.xz
Checksums-Sha256:
9d53a90172c6f25767f02bd704e65e0d8064e1e95c7610a1736965276c94fe29 2398
node-dottie_2.0.7+~2.0.7-1.dsc
ae0cd9a950872d5f8ec76074315a2cec37013f629fe141ca1e72aff810418a64 2560
node-dottie_2.0.7+~2.0.7.orig-types-dottie.tar.xz
35886605f6ed37b953f3bded9fca3f7e0484d87f6e0ca19e7a686d3abfe7bbe9 15588
node-dottie_2.0.7+~2.0.7.orig.tar.xz
1798ee2195cc6158bf557ca35d56e41ca279e87f331589605f8b1c7b43f59b5f 2792
node-dottie_2.0.7+~2.0.7-1.debian.tar.xz
Files:
19a01a5f5e436c4c259b628b09d5e325 2398 javascript optional
node-dottie_2.0.7+~2.0.7-1.dsc
75bd93012654afbee83bb27128c74523 2560 javascript optional
node-dottie_2.0.7+~2.0.7.orig-types-dottie.tar.xz
418f08882c8834de954adbc1e4b300bc 15588 javascript optional
node-dottie_2.0.7+~2.0.7.orig.tar.xz
6193d833a078c3bbcd4dd68565c6ca3b 2792 javascript optional
node-dottie_2.0.7+~2.0.7-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmmta24ACgkQ9tdMp8mZ
7ulzXQ/+ISctU1C97vklu8j1IY7mh8jpaGiYQNq10f8WMjBGDv2IaiKd/QPPN7C7
wsMTyjaz5AQBNMWZzfkgywso+F3CNusvHKwMMXFxJHLhHkMnpEos/u1WSPWhF3HN
Np4EqcRQCcPzuKjJ5TsOg/BwodmdZVVhD3JgcxEoNTNjSHmQ818Hsbd/Fo17983W
puiYDigp6iQsjVkOo1pWIPuw9AwIwSOJQrl0DC8YDodEbF6SkJBfdIBjDaXhXQ3m
sVr8VeOsZXrwjjnBiGH4qO4+MxjrGbl3vAETc6v5XU1VVajtfvPIJXh6mhy/qh1L
fyiYh1CKvkol59gc5dvtFmpuiixchPzXyHL8anPemsyJeDLflDkqZ95MK+PfO7cj
74eMqak5sNwpgrTXzMaB5NCGD+kAEg7QIW/Q9Aa9QyF9mtxZdgVRRWI2Zk7rUCXX
Fg8hEvPbxrSEafKzn46kMJFSo3HyqboE4eAk9o3AWPQsZljVb5p1bSbr47Oo9+7A
LFthPhLHZ4PcAh8yLoDchi4nFkdSKgoRWT+McTfaiIRediG6ijyy7y8i2PIfnNHP
dZePTyN8LJjzj+mpu55fdDskQ06U7IauMlZUaPdEIEUZo9uET2e7J/OxcGRs33Uf
HbjcnyJCz0IRYvg21Gl7llN5kTZmFUkfnbnShzMLkJpaIOacTiI=
=qQ1A
-----END PGP SIGNATURE-----
pgpuJgMXn0onj.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
