Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

dojo: CVE-2019-10785

Related Vulnerabilities: CVE-2019-10785  

Source

Debian Bug report logs - #952771
dojo: CVE-2019-10785

version graph

Package: src:dojo; Maintainer for src:dojo is Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 28 Feb 2020 21:51:01 UTC

Severity: important

Tags: security, upstream

Found in versions dojo/1.14.2+dfsg1-1, dojo/1.15.0+dfsg1-1

Fixed in version dojo/1.15.2+dfsg1-1

Done: Xavier Guimard <yadd@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#952771; Package src:dojo. (Fri, 28 Feb 2020 21:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Fri, 28 Feb 2020 21:51:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dojo: CVE-2019-10785
Date: Fri, 28 Feb 2020 22:49:37 +0100
Source: dojo
Version: 1.15.0+dfsg1-1
Severity: important
Tags: security upstream
Control: found -1 1.14.2+dfsg1-1

Hi,

The following vulnerability was published for dojo.

CVE-2019-10785[0]:
| dojox is vulnerable to Cross-site Scripting in all versions before
| version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due
| to dojox.xmpp.util.xmlEncode only encoding the first occurrence of
| each character, not all of them.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10785
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10785
[1] https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
[2] https://snyk.io/vuln/SNYK-JS-DOJOX-548257

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as found in versions dojo/1.14.2+dfsg1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 28 Feb 2020 21:51:03 GMT) (full text, mbox, link).

Reply sent to Xavier Guimard <yadd@debian.org>:
You have taken responsibility. (Sat, 29 Feb 2020 07:39:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 29 Feb 2020 07:39:06 GMT) (full text, mbox, link).

Message #12 received at 952771-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 952771-close@bugs.debian.org
Subject: Bug#952771: fixed in dojo 1.15.2+dfsg1-1
Date: Sat, 29 Feb 2020 07:34:54 +0000
Source: dojo
Source-Version: 1.15.2+dfsg1-1
Done: Xavier Guimard <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
dojo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 952771@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated dojo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 29 Feb 2020 08:17:40 +0100
Source: dojo
Architecture: source
Version: 1.15.2+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 952771
Changes:
 dojo (1.15.2+dfsg1-1) unstable; urgency=medium
 .
   * Team upload
 .
   [ Debian Janitor ]
   * Update standards version to 4.4.1, no changes needed.
   * debian/copyright: use spaces rather than tabs to start continuation
     lines.
   * Fix day-of-week for changelog entries 1.3.2+dfsg-1.
 .
   [ Xavier Guimard ]
   * Declare compliance with policy 4.5.0
   * Add debian/gbp.conf
   * Add upstream/metadata
   * New upstream version 1.15.2+dfsg1 (Closes: #952771, CVE-2019-10785)
   * Update lintian overrides
Checksums-Sha1: 
 759df8d54aaf0a7ed583c7262f7e2fdc53852d86 2385 dojo_1.15.2+dfsg1-1.dsc
 2b0d676dcadebaf069bedce9404c2cc577d07f9f 30314740 dojo_1.15.2+dfsg1.orig.tar.xz
 91f451c423d779e59b2e4ce726b0db2a9bc1eabc 15256 dojo_1.15.2+dfsg1-1.debian.tar.xz
Checksums-Sha256: 
 790e67a3044c9f4045d107aa88e7d5b9789d8f32da545a9b73184a37b303a71b 2385 dojo_1.15.2+dfsg1-1.dsc
 9af21c31590815ebb14bb6a58cde17841c0c5ac391fb0af4530d85431c615500 30314740 dojo_1.15.2+dfsg1.orig.tar.xz
 5acd883095aa2dc9091d4b6e22e965ee1b2901c8b8f112944ab7285f087361a8 15256 dojo_1.15.2+dfsg1-1.debian.tar.xz
Files: 
 4a63dc40c4d99d1d263fd547e979d151 2385 javascript optional dojo_1.15.2+dfsg1-1.dsc
 7f35fc74fdce6055774b45521ec765a2 30314740 javascript optional dojo_1.15.2+dfsg1.orig.tar.xz
 4d7eeac54b4fe6060f0b4fb708022157 15256 javascript optional dojo_1.15.2+dfsg1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl5aEZcACgkQ9tdMp8mZ
7um0Wg/+Ki3gpgH6Rs7E4DWUZxj9SQ3cklNJN4f9X5LxADLL7g9mTcAruN32CqcZ
drpcLTsvcpKIWk5KQ0iZCUcPLbt08psYU2gTUNIOLOicKJEAoE52Be7+5tX+SG7q
yKt2iCeVvu7mOBWWyu8ZAkF/8c1wnnIHr1Kcx0Ko+tzw3FLd1TMZIJ/9kaJqUDGH
UQQPv8ytVFaHdFyJQm6iOGgQftgrcR28kFC9YDbR5Ji7TfO01LoHUEyTWOY/Rkzg
lIbQeqFH4WpYgMEa+A2rbRIWcViInaxOf7swkv3cHJCXqozPPdq03jy8qSjPD66/
O8DadUNqHEB6woGd+T4H9EV0eiB6YbKmykkJqOUtRG3WOR2qRMqIswZm/NBQXg+k
Vg2q7udq+F1IpMLA0kK8BMPijZEK9gVJkrKx4A5liowMKzttFNiGFvwURpS6a/su
Xhd970IkTPB3Ma6pqnNtZyMDRVVF6wUmd4dzEr2QDNAw0B+yo8KE3SGYzSJb0vT1
M9HRcl6Jm1ZclYiNWxAcerDkEt+0ihAFWcSbkK8Xqjmaxu4/BEI7IaSKfzviPGjw
GKtPx0cjjejy/1OIcSLBzJ82LJTr+e6iDf/qotq8+oUNVLhm6fheDMZsnOeXVrUE
w0rVWE0e5uP4ggGsnXjhmj2jlbx3VZQFOiD4dbYSXEP2f6Y2TnI=
=Xz4C
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Feb 29 08:33:09 2020; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started