Debian Bug report logs -
#941189
node-set-value: CVE-2019-10747
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 26 Sep 2019 05:15:01 UTC
Severity: important
Tags: pending, security, upstream
Found in versions node-set-value/3.0.0-1, node-set-value/0.4.0-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#941189; Package src:node-set-value.
(Thu, 26 Sep 2019 05:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Thu, 26 Sep 2019 05:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-set-value
Version: 0.4.0-1
Severity: important
Tags: security upstream
Control: found -1 3.0.0-1
Hi,
The following vulnerability was published for node-set-value.
CVE-2019-10747[0]:
| set-value is vulnerable to Prototype Pollution in versions lower than
| 3.0.1. The function mixin-deep could be tricked into adding or
| modifying properties of Object.prototype using any of the constructor,
| prototype and _proto_ payloads.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10747
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747
[1] https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
Regards,
Salvatore
Marked as found in versions node-set-value/3.0.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 26 Sep 2019 05:15:04 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#941189.
(Thu, 26 Sep 2019 05:33:04 GMT) (full text, mbox, link).
Message #10 received at 941189-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #941189 in node-set-value reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-set-value/commit/369b526cce423c58b18c7137d1451033fee8247d
------------------------------------------------------------------------
Fix prototype pollution (Closes: #941189, CVE-2019-10747)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/941189
Added tag(s) pending.
Request was from Xavier Guimard <noreply@salsa.debian.org>
to 941189-submitter@bugs.debian.org.
(Thu, 26 Sep 2019 05:33:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#941189; Package src:node-set-value.
(Thu, 26 Sep 2019 05:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Xavier <yadd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Thu, 26 Sep 2019 05:54:04 GMT) (full text, mbox, link).
Message #17 received at 941189@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Le 26/09/2019 à 07:12, Salvatore Bonaccorso a écrit :
> Source: node-set-value
> Version: 0.4.0-1
> Severity: important
> Tags: security upstream
> Control: found -1 3.0.0-1
>
> Hi,
>
> The following vulnerability was published for node-set-value.
>
> CVE-2019-10747[0]:
> | set-value is vulnerable to Prototype Pollution in versions lower than
> | 3.0.1. The function mixin-deep could be tricked into adding or
> | modifying properties of Object.prototype using any of the constructor,
> | prototype and _proto_ payloads.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-10747
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747
> [1] https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
Hi,
here is a patch for Buster
Cheers,
Xavier
[node-set-value_0.4.0-1+deb10u1.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#941189; Package src:node-set-value.
(Thu, 26 Sep 2019 06:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Thu, 26 Sep 2019 06:09:03 GMT) (full text, mbox, link).
Message #22 received at 941189@bugs.debian.org (full text, mbox, reply):
Hi Xavier,
On Thu, Sep 26, 2019 at 07:31:21AM +0200, Xavier wrote:
> Le 26/09/2019 à 07:12, Salvatore Bonaccorso a écrit :
> > Source: node-set-value
> > Version: 0.4.0-1
> > Severity: important
> > Tags: security upstream
> > Control: found -1 3.0.0-1
> >
> > Hi,
> >
> > The following vulnerability was published for node-set-value.
> >
> > CVE-2019-10747[0]:
> > | set-value is vulnerable to Prototype Pollution in versions lower than
> > | 3.0.1. The function mixin-deep could be tricked into adding or
> > | modifying properties of Object.prototype using any of the constructor,
> > | prototype and _proto_ payloads.
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2019-10747
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747
> > [1] https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
>
> Hi,
>
> here is a patch for Buster
Thanks, you are fast :). I think like other similar cases for node-*
modules we can go the buster-pu route here as well.
Unless you object, I will mark it as no-dsa (Can be fixed via point
release).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#941189; Package src:node-set-value.
(Thu, 26 Sep 2019 07:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Xavier <yadd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Thu, 26 Sep 2019 07:15:06 GMT) (full text, mbox, link).
Message #27 received at 941189@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Of course a point release is enough here
Cheers,
Xavier
Le 26 septembre 2019 08:04:35 GMT+02:00, Salvatore Bonaccorso <carnil@debian.org> a écrit :
>Hi Xavier,
>
>On Thu, Sep 26, 2019 at 07:31:21AM +0200, Xavier wrote:
>> Le 26/09/2019 à 07:12, Salvatore Bonaccorso a écrit :
>> > Source: node-set-value
>> > Version: 0.4.0-1
>> > Severity: important
>> > Tags: security upstream
>> > Control: found -1 3.0.0-1
>> >
>> > Hi,
>> >
>> > The following vulnerability was published for node-set-value.
>> >
>> > CVE-2019-10747[0]:
>> > | set-value is vulnerable to Prototype Pollution in versions lower
>than
>> > | 3.0.1. The function mixin-deep could be tricked into adding or
>> > | modifying properties of Object.prototype using any of the
>constructor,
>> > | prototype and _proto_ payloads.
>> >
>> >
>> > If you fix the vulnerability please also make sure to include the
>> > CVE (Common Vulnerabilities & Exposures) id in your changelog
>entry.
>> >
>> > For further information see:
>> >
>> > [0] https://security-tracker.debian.org/tracker/CVE-2019-10747
>> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747
>> > [1] https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
>>
>> Hi,
>>
>> here is a patch for Buster
>
>Thanks, you are fast :). I think like other similar cases for node-*
>modules we can go the buster-pu route here as well.
>
>Unless you object, I will mark it as no-dsa (Can be fixed via point
>release).
>
>Regards,
>Salvatore
--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.
[Message part 2 (text/html, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Sep 26 16:46:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon