Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2021-23337 CVE-2020-28500

Related Vulnerabilities: CVE-2021-23337   CVE-2020-28500  

Source

Debian Bug report logs - #985086
CVE-2021-23337 CVE-2020-28500

version graph

Package: node-lodash; Maintainer for node-lodash is Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>; Source for node-lodash is src:node-lodash (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Fri, 12 Mar 2021 18:54:01 UTC

Severity: grave

Tags: security, upstream

Fixed in version node-lodash/4.17.21+dfsg+~cs8.31.173-1

Done: Yadd <yadd@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#985086; Package node-lodash. (Fri, 12 Mar 2021 18:54:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Fri, 12 Mar 2021 18:54:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2021-23337 CVE-2020-28500
Date: Fri, 12 Mar 2021 19:51:19 +0100
Package: node-lodash
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

CVE-2021-23337:
https://snyk.io/vuln/SNYK-JS-LODASH-1040724

CVE-2020-28500:
https://snyk.io/vuln/SNYK-JS-LODASH-1018905

Cheers,
        Moritz

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 12 Mar 2021 20:03:07 GMT) (full text, mbox, link).

Reply sent to Yadd <yadd@debian.org>:
You have taken responsibility. (Sat, 13 Mar 2021 07:36:07 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sat, 13 Mar 2021 07:36:07 GMT) (full text, mbox, link).

Message #12 received at 985086-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 985086-close@bugs.debian.org
Subject: Bug#985086: fixed in node-lodash 4.17.21+dfsg+~cs8.31.173-1
Date: Sat, 13 Mar 2021 07:33:41 +0000
Source: node-lodash
Source-Version: 4.17.21+dfsg+~cs8.31.173-1
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-lodash, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 985086@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-lodash package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Mar 2021 08:08:00 +0100
Source: node-lodash
Architecture: source
Version: 4.17.21+dfsg+~cs8.31.173-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 985086
Changes:
 node-lodash (4.17.21+dfsg+~cs8.31.173-1) unstable; urgency=medium
 .
   * Team upload
 .
   [ Pirate Praveen ]
   * Fix symbolic link for lodash.fp.js
 .
   [ Yadd ]
   * Add ctype=nodejs to component(s)
   * New upstream version 4.17.21+dfsg+~cs8.31.173
     (Closes: #985086, CVE-2021-23337 CVE-2020-28500)
   * Refresh patches
Checksums-Sha1: 
 7052ac130d8661ed5dacc5b3f9a2dcf8076400b5 3083 node-lodash_4.17.21+dfsg+~cs8.31.173-1.dsc
 61f62ef33f5ff389f087ed5c489349093942dfb6 41560 node-lodash_4.17.21+dfsg+~cs8.31.173.orig-lodash-cli.tar.xz
 c2f82dcdcaddc2b83d47e59261ec0c170cceaed7 75612 node-lodash_4.17.21+dfsg+~cs8.31.173.orig-types-lodash.tar.xz
 81762950fe8229618001fdb561378fc8f0981d4d 576176 node-lodash_4.17.21+dfsg+~cs8.31.173.orig.tar.xz
 b7dc7f863394bdb18ead44e45ae16258497cf994 7156 node-lodash_4.17.21+dfsg+~cs8.31.173-1.debian.tar.xz
Checksums-Sha256: 
 d5662af44c8ff77bb5728e9e820aa4f2f85b99a1ff2e98ef1e598dc7783e874f 3083 node-lodash_4.17.21+dfsg+~cs8.31.173-1.dsc
 60211e46cf49a805fced79175317505a6337b440ea3e0e37a3b78ec7d3ce7366 41560 node-lodash_4.17.21+dfsg+~cs8.31.173.orig-lodash-cli.tar.xz
 82fad02c44e7d4643eb6cff72b37fd31cd1985827147c7bc1fcce48db66e460a 75612 node-lodash_4.17.21+dfsg+~cs8.31.173.orig-types-lodash.tar.xz
 cd29276e76663f2eed86aa7adb3017fef7631777ac33f2355e19e1e07ad7f7a9 576176 node-lodash_4.17.21+dfsg+~cs8.31.173.orig.tar.xz
 e22e74995f48d0f7c0d8585a73ef1bda454e76b9506d75aa38644e6683fe2fe2 7156 node-lodash_4.17.21+dfsg+~cs8.31.173-1.debian.tar.xz
Files: 
 08757de54937995e5d5585a4e72e046a 3083 javascript optional node-lodash_4.17.21+dfsg+~cs8.31.173-1.dsc
 b2217589333a9b2e1dd198bdfa1f3948 41560 javascript optional node-lodash_4.17.21+dfsg+~cs8.31.173.orig-lodash-cli.tar.xz
 ee87f94ababe513cb4a32a4480cc3eb1 75612 javascript optional node-lodash_4.17.21+dfsg+~cs8.31.173.orig-types-lodash.tar.xz
 0dc3289b0bd047a1bb177476a1c2495a 576176 javascript optional node-lodash_4.17.21+dfsg+~cs8.31.173.orig.tar.xz
 be3f70e8f3c115c65185b3a13f3519ca 7156 javascript optional node-lodash_4.17.21+dfsg+~cs8.31.173-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmBMZ+0ACgkQ9tdMp8mZ
7ukwMxAAjo18gciLVD5Md0ve12YPnhQ0vVd8Xwz6Hf8K6+jQRepa7TAyx8MQQK3a
Sbdm2lCqiywsySDUX/C5lzF+vZjK+SWPsw79iylF2l+xc3YKU4Ld4HmxILEh9I4W
0MdRfmQa0Kvvdvw6olz8Ms+wNzyC4gw4S3QciEM6qzQj3/ykCBCXCEdeTupaldjU
+9rHGaIIP6oGDIFPYq85yRt/Cz0m/5vLvg+uIGOvFu8vtDe8e6EtL7ed3Pv1gXO6
n6kC5Aua2BPyLz0nyiMA1nqReBwvxvOd8MJrpp6YZv+imnuLavpRQyNYkh4U3A13
p30JE9Ydr2JT4cZeCJa5GjI7vRor/TV7c8sFYnxVtLEdPOXfgo1TVRi3SjDAwhOE
3pzq217GWMeMI63WG1caui1qOWIDr1q1WEBKYFdfuQ1UdKQUsi2WrQrd/PYBYoyb
4Ptn5n/U5BI3ZXNXL2lxha2OfIlmGHFz7FAZvT4pSvFkUfS1ksB1eRuYjL2wbmjf
zXitT/eLZTZfvsByDpWz5BEZulOpgEyoZ+2oE12wtZrlA1w3VRK0pxwHqDBuIP3T
4yMKbSpBxzU7S2QipapW10jnetTs6+Uba3Sw8/C8I6W2tMwQy3shvIflfKhlc/Ja
oIV002xuwCUdd5m04ahZjjLz4KmQtK+UQ3D/EEoN7xLZCri/Qtc=
=ulDC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Mar 13 09:56:31 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started