Debian Bug report logs -
#1009676
grunt: CVE-2022-0436 - Path Traversal in grunt prior to 1.5.2
Reported by: Neil Williams <codehelp@debian.org>
Date: Thu, 14 Apr 2022 08:27:01 UTC
Severity: important
Tags: security
Found in version grunt/1.4.1-2
Fixed in version grunt/1.5.2-1
Done: Yadd <yadd@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, codehelp@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#1009676; Package src:grunt.
(Thu, 14 Apr 2022 08:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>:
New Bug report received and forwarded. Copy sent to codehelp@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Thu, 14 Apr 2022 08:27:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: grunt
Version: 1.4.1-2
Severity: important
Tags: security
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for grunt.
CVE-2022-0436[0]:
| Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-0436
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0436
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.16.0-6-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Message sent on
to Neil Williams <codehelp@debian.org>:
Bug#1009676.
(Thu, 14 Apr 2022 08:45:03 GMT) (full text, mbox, link).
Message #8 received at 1009676-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1009676 in grunt reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/grunt/-/commit/43c6eb9b246e566a9658687e111ea9c261c09e35
------------------------------------------------------------------------
New upstream version (Closes: #1009676, CVE-2022-0436)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1009676
Added tag(s) pending.
Request was from Yadd <noreply@salsa.debian.org>
to 1009676-submitter@bugs.debian.org.
(Thu, 14 Apr 2022 08:45:03 GMT) (full text, mbox, link).
Message sent on
to Neil Williams <codehelp@debian.org>:
Bug#1009676.
(Thu, 14 Apr 2022 08:45:05 GMT) (full text, mbox, link).
Message #13 received at 1009676-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1009676 in grunt reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/grunt/-/commit/43c6eb9b246e566a9658687e111ea9c261c09e35
------------------------------------------------------------------------
New upstream version (Closes: #1009676, CVE-2022-0436)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1009676
Reply sent
to Yadd <yadd@debian.org>:
You have taken responsibility.
(Thu, 14 Apr 2022 08:51:07 GMT) (full text, mbox, link).
Notification sent
to Neil Williams <codehelp@debian.org>:
Bug acknowledged by developer.
(Thu, 14 Apr 2022 08:51:07 GMT) (full text, mbox, link).
Message #18 received at 1009676-close@bugs.debian.org (full text, mbox, reply):
Source: grunt
Source-Version: 1.5.2-1
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
grunt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1009676@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated grunt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Apr 2022 10:37:57 +0200
Source: grunt
Architecture: source
Version: 1.5.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1009676
Changes:
grunt (1.5.2-1) experimental; urgency=medium
.
* Team upload
* New upstream version (Closes: #1009676, CVE-2022-0436)
Checksums-Sha1:
fa3e118af20d894d3ca6153087f8c177650d70c5 2049 grunt_1.5.2-1.dsc
88e5b1a1e8c772f31a7140d17bf28dcd5058b8cd 52576 grunt_1.5.2.orig.tar.gz
3f72385c0365cf6b6d0c787a2ad3f8d53a1d0a0d 4996 grunt_1.5.2-1.debian.tar.xz
Checksums-Sha256:
0a7bd9acf11ba06a3f42daff69f3945d751e28f8a02451a07823f709e5d4cb44 2049 grunt_1.5.2-1.dsc
54ea40beb544152e359e8bfeb6f541e6c99556ddcbabff7d0086ab4d777b0b3b 52576 grunt_1.5.2.orig.tar.gz
ba8fc6cde10dcc3a2ce594d9ef63283646ca3ec3cdcb8b1b2d45aaefef85eb59 4996 grunt_1.5.2-1.debian.tar.xz
Files:
b5355fadda5beee43ddacc1f972ebb10 2049 javascript optional grunt_1.5.2-1.dsc
af48d15b82aecb6adf1ad4b68a6a19bc 52576 javascript optional grunt_1.5.2.orig.tar.gz
273389b1ab0452bd5427a618a4772a5f 4996 javascript optional grunt_1.5.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmJX3csACgkQ9tdMp8mZ
7umezw/9GpXDwksRu5d7NLfgxQPE64LZ5KvgNUayn0jLfTkPfIpiy/zf5QhoFU3D
erTwWwEjR3jzmREB5xFiJm1HON6fu4MlVXUjyeX0UX3fQIAIhdk2iIDzrUxDMISY
Mb4H2DnTSjMeC436x4yDzrLhukSad/zaNQQseoH6iNeQhgo22Lln+4iu0iXB5wwy
85S1xJ8cMIaQL+t5MO7y4oXHedKdn52YlNFosYA/mfljI/u78EgB69lxD3+ZXLnr
3HXkjQZ3GXrjZNoWFdEH81Hgqo2eoCJKmhSodICKV+XIELmYVNUdRIa7jcBbHMbd
35QYwObp377u4p7uOJZwfDFp2TmeDr8ZXg8K3OZ8vV2tKW52lsskWdX6CP4tq/Se
PahIEx76Up7v37T6/elV+Reogvwn0sFgtLXr5ZfXQBQ/Q++YksTUvCflStRd4cEO
v0pU1MD2099m/35jEzzoo/kTNJCTxnWSyDdRgg0+fH7pZhbIxOOX55oeYC9/Usgg
WuLsl4NgyY2xvQwlS7g4JLq4fbM6KrMasSrC7Yrewk//BtZ9u7TBqBtXFjqr1r2e
2mZCGuOXF+lyATw2XE+91KvDdsVWJOoYalBp2iQRePr2rNTrPOEpteHg9q86Hpp2
bqm7asYN4O13N1HQf/oH7cdcz3GHtPKUuyRhpAea5NTQ2dKLWAE=
=zool
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Apr 14 13:10:08 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon