CVE-2018-6561

Debian Bug report logs - #898944
CVE-2018-6561

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2018-6561

Date: Thu, 17 May 2018 18:53:33 +0200

Source: dojo
Severity: grave
Tags: security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6561

Cheers,
        Moritz

Message #12 received at 898944-close@bugs.debian.org (full text, mbox, reply):

From: Bastien Roucariès <rouca@debian.org>

To: 898944-close@bugs.debian.org

Subject: Bug#898944: fixed in dojo 1.13.0+dfsg1-1

Date: Sun, 03 Jun 2018 19:20:08 +0000

Source: dojo
Source-Version: 1.13.0+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
dojo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 898944@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated dojo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 20:40:08 +0200
Source: dojo
Binary: libjs-dojo-core libjs-dojo-dijit libjs-dojo-dojox shrinksafe
Architecture: source all
Version: 1.13.0+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 libjs-dojo-core - modular JavaScript toolkit
 libjs-dojo-dijit - modular JavaScript toolkit - Dijit
 libjs-dojo-dojox - modular JavaScript toolkit - DojoX
 shrinksafe - JavaScript compression system
Closes: 831548 852923 863693 898944
Changes:
 dojo (1.13.0+dfsg1-1) unstable; urgency=high
 .
   * Add myself as uploader
   * New upstream release
   * Remove swf file
   * Bump compat and standard version
   * Install shrinksafe to /usr/share/java/shrinksafe
   * Do not use mtasc Closes: #831548).
     Bail early on the storage plugin, fallback to next storage
     plugin.
   * Move to git dpm
   * Bug fix: "Updating the dojo Uploaders list", thanks to Tobias Frost
     (Closes: #863693).
   * Dojo is now the new upstream of shrinksafe. New shrinksafe will fix
     FTBFS: OPTIMIZER FAILED: JavaException:
     java.lang.RuntimeException: null, thanks to Lucas Nussbaum
     (Closes: #852923).
   * Install dojox documentation
   * Fix CVE-2018-6561 (Closes: #898944)
     dijit.Editor in Dojo Toolkit 1.13 allows XSS via
     the onload attribute of an SVG element.
Checksums-Sha1:
 9bef2b9b3121348acdef3fa43456a611665fd5fb 2386 dojo_1.13.0+dfsg1-1.dsc
 f522f355f1773b3b0e9eaa1ab37c6dfe2c1b036f 33885989 dojo_1.13.0+dfsg1.orig.tar.gz
 9e41e0df65224abdf22767ddeca14da9872f006a 16096 dojo_1.13.0+dfsg1-1.debian.tar.xz
 eb57aeb3a8d34c0cfe8a829f848682b98db66c3a 12569 dojo_1.13.0+dfsg1-1_amd64.buildinfo
 5931c794b041fcba9eda5a6a3760fd43d4646c74 496444 libjs-dojo-core_1.13.0+dfsg1-1_all.deb
 c0f7c604d1a2645341f1cd16b14b5f42889a51b3 803656 libjs-dojo-dijit_1.13.0+dfsg1-1_all.deb
 5471f0cc09daa6b272871cb929124e4f77a8493c 2728708 libjs-dojo-dojox_1.13.0+dfsg1-1_all.deb
 08722daa870d62ddd6664f3d097f778199e1fca6 255336 shrinksafe_1.13.0+dfsg1-1_all.deb
Checksums-Sha256:
 50e970709e29ad36d78f6136f6e581cc255379fd15672a7d14e41958410f9a6f 2386 dojo_1.13.0+dfsg1-1.dsc
 62bee07718b32770624af0b4f7cd91afd12df085bfa5eef5858c535f30672dc3 33885989 dojo_1.13.0+dfsg1.orig.tar.gz
 24c418b478a89ad54d287f8c078946e11f327399cf7a1060fa54c618877ad399 16096 dojo_1.13.0+dfsg1-1.debian.tar.xz
 a90acca4884e6630f1a008a50f44aec5b73c1751ce9000406ba42a655448be80 12569 dojo_1.13.0+dfsg1-1_amd64.buildinfo
 9cbf1420214136dbfe42ca9288463e5dc04924ca4495c9d6d7b55f7185a3b4f5 496444 libjs-dojo-core_1.13.0+dfsg1-1_all.deb
 860efdd497d50ecb5e811df0487c2860a85f8c9466a0af660585c0fc67986230 803656 libjs-dojo-dijit_1.13.0+dfsg1-1_all.deb
 e567b724a07312f7d82cec6c75efee466a74380bceb2f6e70d665af483d767b8 2728708 libjs-dojo-dojox_1.13.0+dfsg1-1_all.deb
 c63a35749fb78428e126d8ea3e9b25dfd4ff53aaf363ac11c661af9b03d0eb6b 255336 shrinksafe_1.13.0+dfsg1-1_all.deb
Files:
 851d674ac708650d8e28185ec76fcb81 2386 javascript optional dojo_1.13.0+dfsg1-1.dsc
 65bb5479ec52de977795eda738585c3b 33885989 javascript optional dojo_1.13.0+dfsg1.orig.tar.gz
 3841026bbcbe9aa23591a281d15b10f7 16096 javascript optional dojo_1.13.0+dfsg1-1.debian.tar.xz
 7f7bb5b7813d02a5bfa9b8eef24109dc 12569 javascript optional dojo_1.13.0+dfsg1-1_amd64.buildinfo
 360e8d80de01b2b002b1ef2561b58bfc 496444 javascript optional libjs-dojo-core_1.13.0+dfsg1-1_all.deb
 be8833b7b2d7906a95979bc55f2df66f 803656 javascript optional libjs-dojo-dijit_1.13.0+dfsg1-1_all.deb
 e555b3b3ef9295205c427f95611c619b 2728708 javascript optional libjs-dojo-dojox_1.13.0+dfsg1-1_all.deb
 9d356f73ff2786e11d39d3c54c443eb2 255336 javascript optional shrinksafe_1.13.0+dfsg1-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlsUPAkACgkQADoaLapB
CF847w/9EU4uBAdnrkfw3kjoUfyWqv+mbN6TjEexnqWSNH0JqCFCx4l3hntMS4KU
TyQ5CpRp93MlgnYMXjMEyF9DXIXZhdESziyVotkdyL2mIEFDfxroKwtZKYCdv2PN
/5/712l2b0z3TD+EongqBXAjfR2zxVqmxlFHBScU3lhLdxCNue7v//8H06R0W1DU
Cxd6xLn1U++9u1qh42KADDmO/V8KFh6UJJPiNo0AgPjL0/4tZh0iXWlRs2WEygqq
PXytiQITmDfrH+pBxyeJlQkHK+Gg1mMWiBa6mr6bFU+5JqSzt6qWPiLuD7UrG8R0
q2fV01ljj2zkoGeZn3MZe/12CRD5x+QX98Omyj5C6HiYvFlLY7kEblpgGqRJkUXZ
nswSYcswX2CgaUv6oudsWUnENQpSkvDYGb5xofu1GWxsfqPPhynWI71lvCCMXa/H
OeJ35j+E/9iojB2bPrDaewV+VRSNia/sgyLLmGALgM7BbPuA7sHJ5gYxIWTIo2NU
Gd8Mfw6cP2OMYtJlc1GGkiGum95f4aQfYctg0G7kDiIcdrCsAEzrsb9dV2deRZ06
GoDWygVZGgHXgEKrgSVoTFxITd+4k2BfshochdfuhQwtIbIA0MvVStjMXHXxbHZL
ClBks/Ep0rsG7VyJMdBfLmOX3DDvO9x0NUkiEf8FJCdOb9pXu+w=
=XecR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.