Debian Bug report logs -
#898315
node-mixin-deep: CVE-2018-3719: Prototype pollution via merging functions
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
:
Bug#898315
; Package src:node-mixin-deep
.
(Thu, 10 May 2018 07:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
.
(Thu, 10 May 2018 07:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-mixin-deep
Version: 1.1.3-1
Severity: important
Tags: security upstream
Forwarded: https://nodesecurity.io/advisories/578
Hi,
The following vulnerability was published for node-mixin-deep.
CVE-2018-3719[0]:
Prototype pollution via merging functions
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-3719
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3719
[1] https://nodesecurity.io/advisories/578
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#898315.
(Sun, 21 Apr 2019 12:30:04 GMT) (full text, mbox, link).
Message #8 received at 898315-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #898315 in node-mixin-deep reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-mixin-deep/commit/f4ba76df0e07f9300188ad24586897f0aa40b914
------------------------------------------------------------------------
Fix prototype polution (Closes: #898315, CVE-2018-3719)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/898315
Added tag(s) pending.
Request was from Xavier Guimard <noreply@salsa.debian.org>
to 898315-submitter@bugs.debian.org
.
(Sun, 21 Apr 2019 12:30:04 GMT) (full text, mbox, link).
Reply sent
to Xavier Guimard <yadd@debian.org>
:
You have taken responsibility.
(Sun, 21 Apr 2019 12:51:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 21 Apr 2019 12:51:09 GMT) (full text, mbox, link).
Message #15 received at 898315-close@bugs.debian.org (full text, mbox, reply):
Source: node-mixin-deep
Source-Version: 1.1.3-2
We believe that the bug you reported is fixed in the latest version of
node-mixin-deep, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 898315@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated node-mixin-deep package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 21 Apr 2019 14:24:15 +0200
Source: node-mixin-deep
Architecture: source
Version: 1.1.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 898315
Changes:
node-mixin-deep (1.1.3-2) unstable; urgency=medium
.
* Team upload
* Add upstream/metadata
* Declare compliance with policy 4.3.0
* Change section to javascript
* Fix prototype pollution (Closes: #898315, CVE-2018-3719)
* Switch tests to pkg-js-tools
* Fix VCS fields
* Fix debian/copyright
Checksums-Sha1:
85f9a631d08fed37655e9628d364c511125c8e9d 2138 node-mixin-deep_1.1.3-2.dsc
74d2af7fa434b3c72ba331c733300d9fcf396feb 2632 node-mixin-deep_1.1.3-2.debian.tar.xz
Checksums-Sha256:
661061b635d6a7a044541d8e088af8680d84460b9fe47eebde55a842aa8da5ad 2138 node-mixin-deep_1.1.3-2.dsc
505d5fa4bdf7360e876a4bfc22da2ea671cb6460bd3b88f99cea686be281c676 2632 node-mixin-deep_1.1.3-2.debian.tar.xz
Files:
d0f67066ac7f5f67711e569425b08e8c 2138 javascript optional node-mixin-deep_1.1.3-2.dsc
17f338bd3eceda445ee2fc13bd4751bb 2632 javascript optional node-mixin-deep_1.1.3-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAly8YrIACgkQ9tdMp8mZ
7ukwphAAnFVenanNc90E6/kaRTqGBiYhey8//eZ6JwNz7dJhZM/dYnO89AvfNX1U
fuZs9DPWdoJLkn82KxHXFsdaV+b3Tw7ptfjmOGeByAw9WMunZTqmfjND+QQc3D+u
J1o2+mHq6OXVMQ5hsEaFMfonY6C6lMOYMBwZjZoP8tn6TnahgxGeFov/BM5kP24l
gh9EkFBufK7EXwQjIfEpsvqhN7k977kDG0HJx8xrd4b1hrXQvabl2KpvAd3YnkUU
GFdiru8BL0GZsiIIiT03sCkBNC6uqDTRn8oBYas6WIw/Va/5b/lqoTnxySo18Qne
T8XTPqCxffhdp4LmDdY9NK/Dm4MnN+kQSRX3xTTxvSqknK8Ao8+YTCHBgHMuzi81
grFw7XNScMaNg7lndJ12YxeFu6mel+CbDkCCWcSE+UW+gGi+/AfJz6bqGL819oLX
bxxmi+Z4o11W22sWpMVDnleLS5wohCovptpj4sJFeTaKET5hOnY6HFQTCXIafAxm
11aeOrwZCj9Bx9Zp8H+5Yb3qe0cYRkzngmCbxdizIkLToPg+qJ+4KIkcSWmV0M16
zjfzlkZYE3cgPXYx7Q8UpK+d9f7VE0c4ZEBmx2/fVv2fkD6BuuZf9n+ISZKl1FUT
9qNOYFDLfRZisN/lKCdZU+giq0EyAkS/rbk58zV63yXbupMTfL4=
=S880
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 22 May 2019 07:25:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:54:40 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.