Debian Bug report logs -
#999765
node-json-schema: CVE-2021-3918 - Prototype Pollution
Reported by: Neil Williams <codehelp@debian.org>
Date: Tue, 16 Nov 2021 11:09:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version node-json-schema/0.3.0+~7.0.6-1
Fixed in version node-json-schema/0.4.0+~7.0.9-1
Done: Jonas Smedegaard <dr@jones.dk>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, codehelp@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#999765; Package src:node-json-schema.
(Tue, 16 Nov 2021 11:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>:
New Bug report received and forwarded. Copy sent to codehelp@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Tue, 16 Nov 2021 11:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-json-schema
Version: 0.3.0+~7.0.6-1
Severity: important
Tags: security
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for node-json-schema.
CVE-2021-3918[0]:
| json-schema is vulnerable to Improperly Controlled Modification of
| Object Prototype Attributes ('Prototype Pollution')
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-3918
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3918
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.14.0-2-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply sent
to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility.
(Tue, 16 Nov 2021 11:51:05 GMT) (full text, mbox, link).
Notification sent
to Neil Williams <codehelp@debian.org>:
Bug acknowledged by developer.
(Tue, 16 Nov 2021 11:51:05 GMT) (full text, mbox, link).
Message #10 received at 999765-close@bugs.debian.org (full text, mbox, reply):
Source: node-json-schema
Source-Version: 0.4.0+~7.0.9-1
Done: Jonas Smedegaard <dr@jones.dk>
We believe that the bug you reported is fixed in the latest version of
node-json-schema, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 999765@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated node-json-schema package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Nov 2021 17:59:10 +0100
Source: node-json-schema
Architecture: source
Version: 0.4.0+~7.0.9-1
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Closes: 999765
Changes:
node-json-schema (0.4.0+~7.0.9-1) unstable; urgency=high
.
[ upstream ]
* new release
+ disallow __proto__ property being used for schema default/coerce
and protect against constructor modification;
closes: bug#999765, thanks to Neil Williams;
CVE-2021-3918
.
[ Jonas Smedegaard ]
* simplify source helper script copyright-check
* update copyright info:
+ use Reference field (not License-Reference);
tighten lintian overrides
+ update coverage
* declare compliance with Debian Policy 4.6.0
* set urgency=high due to security fix
* remove executable bit on JavaScript library files
Checksums-Sha1:
547aae0622c55470bd654fda51a8927cbba88fef 2472 node-json-schema_0.4.0+~7.0.9-1.dsc
97edc9037ea0c38585320b28964dde3b39e4660d 6164 node-json-schema_0.4.0+~7.0.9.orig-Xtypes.tar.gz
61f86e496b268038b1f95b8520d32349bec14cbc 38002 node-json-schema_0.4.0+~7.0.9.orig.tar.gz
a6f3ca773cf2adc6213b8fdfdb84fee58683ccd1 5064 node-json-schema_0.4.0+~7.0.9-1.debian.tar.xz
4567a18fac3958a084d285a61d26d58d4b4a00e8 5957 node-json-schema_0.4.0+~7.0.9-1_amd64.buildinfo
Checksums-Sha256:
79f8a4513ed16e18daedbec8ee4309a0ea5fd6c0699199da5d31aec99883cc6e 2472 node-json-schema_0.4.0+~7.0.9-1.dsc
e322dc0700f811158aa63382c595d31a006a1b077435b6a70ea8e81c2fe64a7b 6164 node-json-schema_0.4.0+~7.0.9.orig-Xtypes.tar.gz
50b4ac7b7541dea6ef50c955d75680b1fd03df14678b0fdd3e3a2cd3c5ee27cd 38002 node-json-schema_0.4.0+~7.0.9.orig.tar.gz
8b79ae203bf4bdc5b342b8ebd8f982f0e7fca47f034c900b2223b34b4d645bda 5064 node-json-schema_0.4.0+~7.0.9-1.debian.tar.xz
0deba505d1a0ac5343a928014c6dcae0c833e5b3ac5eec3686039efb68e49588 5957 node-json-schema_0.4.0+~7.0.9-1_amd64.buildinfo
Files:
d0747e7d0cf1ce2b1ab9acf0b35f568d 2472 javascript optional node-json-schema_0.4.0+~7.0.9-1.dsc
f2bb24f2e895541683dcfa11462b875d 6164 javascript optional node-json-schema_0.4.0+~7.0.9.orig-Xtypes.tar.gz
2ce75aca30571d40f28015bde7f3f053 38002 javascript optional node-json-schema_0.4.0+~7.0.9.orig.tar.gz
075b9793eebedc81d760beb93eee57a6 5064 javascript optional node-json-schema_0.4.0+~7.0.9-1.debian.tar.xz
a0523c9cdeda61828fb5f310f583d308 5957 javascript optional node-json-schema_0.4.0+~7.0.9-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmGT49YACgkQLHwxRsGg
ASEYrw//S8o9gFBsNfP3gmuOWYHimTQ0ORhba+G1Gw623TyBeQDYNUmadTiBO6Il
P/hqjTgvTh0/vS8tv+52NF3H6akFzaJW4Uy/p0v8AplsJ113YmPzVy3tBeeQl2Kx
8AjQYyvrEn7q4M16MqipV8qIMhpYRCTy531SnzZzfs0M9gGFTOxREhihf/UiK9i8
z3Ntxo3ixx7it8rOBwa8nFZvcR9rTUHT5YocS9+Ke4sa3aUaG9rr3AzaIYmngJGB
AdV8BSSxyen1GjPF63+xe7kGK2bebkI9m19XCm+DGUUF8Zk8dcNCiMmzbvMsz7Fy
zSxcAS4ml2gLZM521d06wLko1I0Gl3TfrSqrCD3Y+MyjOga9/10wXVbKwBYD1E8M
7vHy6ngdx7XNqp1aBtpuDbnff/72XW3nz0NfEQ7zmk+eSWqEGKY5ZslI3+UYb2b+
aZ7+hLn0FsdX1zPHSLfwA5yWydlOIr6egWt9wmviPx7JhSeTe/4qs0JPdK/6nOwL
8kwj/dzc5A9kPLOhXw2YLeTPae5YQsndwzyp1o6IWcYgEs1mPg43w119IngXRmD7
WC7rlb6xOh0Agk1LKWwY8dTez8G1RqepzVzBtZByIt4wGkY3R9GIzfG9G/rymGa7
LP49pZ0fZ4j9vbsssKQunDq8ROMqqykmYJ+PXerHWiVKxZXp+QM=
=uEhn
-----END PGP SIGNATURE-----
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 16 Nov 2021 13:21:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Nov 17 09:02:46 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon