Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

dojo: CVE-2018-15494

Related Vulnerabilities: CVE-2018-15494  

Source

Debian Bug report logs - #906540
dojo: CVE-2018-15494

version graph

Package: src:dojo; Maintainer for src:dojo is Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 18 Aug 2018 08:48:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version dojo/1.13.0+dfsg1-3

Fixed in version dojo/1.14.1+dfsg1-1

Done: Bastien Roucariès <rouca@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/dojo/dojox/pull/283

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#906540; Package src:dojo. (Sat, 18 Aug 2018 08:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Sat, 18 Aug 2018 08:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dojo: CVE-2018-15494
Date: Sat, 18 Aug 2018 10:45:44 +0200
Source: dojo
Version: 1.13.0+dfsg1-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/dojo/dojox/pull/283

Hi,

The following vulnerability was published for dojo.

CVE-2018-15494[0]:
| In Dojo Toolkit before 1.14, there is unescaped string injection in
| dojox/Grid/DataGrid.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-15494
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15494
[1] https://github.com/dojo/dojox/pull/283

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 23 Aug 2018 17:15:29 GMT) (full text, mbox, link).

Reply sent to Bastien Roucariès <rouca@debian.org>:
You have taken responsibility. (Wed, 05 Sep 2018 13:21:12 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 05 Sep 2018 13:21:12 GMT) (full text, mbox, link).

Message #12 received at 906540-close@bugs.debian.org (full text, mbox, reply):

From: Bastien Roucariès <rouca@debian.org>
To: 906540-close@bugs.debian.org
Subject: Bug#906540: fixed in dojo 1.14.1+dfsg1-1
Date: Wed, 05 Sep 2018 13:19:45 +0000
Source: dojo
Source-Version: 1.14.1+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
dojo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 906540@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated dojo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 05 Sep 2018 14:59:53 +0200
Source: dojo
Binary: libjs-dojo-core libjs-dojo-dijit libjs-dojo-dojox shrinksafe
Architecture: source
Version: 1.14.1+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 libjs-dojo-core - modular JavaScript toolkit
 libjs-dojo-dijit - modular JavaScript toolkit - Dijit
 libjs-dojo-dojox - modular JavaScript toolkit - DojoX
 shrinksafe - JavaScript compression system
Closes: 906540
Changes:
 dojo (1.14.1+dfsg1-1) unstable; urgency=medium
 .
   * New upstream version.
   * Fix CVE-2018-15494 (Closes: #906540):
     In Dojo Toolkit before 1.14, there is unescaped string injection in
     dojox/Grid/DataGrid.
Checksums-Sha1:
 6ae4944de327ffa498050f81704fefcbfb0b5497 2379 dojo_1.14.1+dfsg1-1.dsc
 2590f4e114ea934d3e2e8f24cfb331552d552710 33909294 dojo_1.14.1+dfsg1.orig.tar.gz
 954a12fbd895fb764742d21dbdb82340bada7b86 14792 dojo_1.14.1+dfsg1-1.debian.tar.xz
 a5d61dbdd90f8ce05582f27105f69605576df953 6068 dojo_1.14.1+dfsg1-1_source.buildinfo
Checksums-Sha256:
 b96bd4c3319ae88cba0aaf64ff60577f5d363b36ea2e9facdc975d3660b1fb50 2379 dojo_1.14.1+dfsg1-1.dsc
 dcc8f8dc252e600a4b404bf339a3f05cecad6ea96c93e3a1587252a1e6e1d83a 33909294 dojo_1.14.1+dfsg1.orig.tar.gz
 0c5d9f7b48c1fd9f57292bf8bd6b175672a836bdf5c89291e5ed598b62f72148 14792 dojo_1.14.1+dfsg1-1.debian.tar.xz
 cd923f9b4bdfcb05b196b7dc90cb7a1c7ed63c89c1456cb007ca818bd7bf6a38 6068 dojo_1.14.1+dfsg1-1_source.buildinfo
Files:
 8a3e54d708a36fc99afa37fb658734f2 2379 javascript optional dojo_1.14.1+dfsg1-1.dsc
 cb7749ba3f71f14e43ca99ae0b853e72 33909294 javascript optional dojo_1.14.1+dfsg1.orig.tar.gz
 696f1c7674033b4f9d136360d9e9f966 14792 javascript optional dojo_1.14.1+dfsg1-1.debian.tar.xz
 621d81e34b1fef0f2e038c1f5ea18174 6068 javascript optional dojo_1.14.1+dfsg1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAluP1FIACgkQADoaLapB
CF9RGxAAi0SAlIfFJsewwpknk3qUstMdX6LP6rqiFlvpcaF8VLTa/tkDPmk2Jslw
RSfCFfk6e57g3CkkcQ9EeToK4id+t+uL6DgLqqivEFR/xIFa0GiV/gYs9OZ79ava
BzI67w/LaXXgqMjpKh4E5Xo/RXKAdxiCK9a6YFo9X6n+F8JM0ieEvK0QhCSzBqPC
xZHN7204iF8bUBPWoWqbQNbBOWjI7fG0JarLLvDygRWzjZGTqPGDCMI/HclbMUZi
nqyzCNj1lED4Jta4qmkyGyN2/20xwLu5tPha2thvjVvHbWjxGmwj9hWNEKo/YfNL
Uy0YoULZrXdJr7349Bd5qRBqzD9yZG5JqbbbIUxROi9+z1sU1AZnUYPIZHc/7I5P
5NvJ/xaaSU5vCzNzXeWA+F8QiK5Yz7Yz+Q0k2D9nYG9e6yaDa0kIaGz4s5jHcvFo
9cybV6GDeXwB7YQ/8mWBHhZATmhBMphW7a6bGTUVTETUY0WclTS2vHkcDzdUX/7C
Fv7xGTt0IUeTAqOiBLm7g950NaVrnZpPqZRrh4ybqLd/JM1qKVT1Wysf2Xg2c4hj
yMZM8Gx2mqU/0UD65fwenrXei9Fz47uFp/fXCG/6V1FgYWP8gWgi8ohQ+ayLVxJG
+wKx9AukQVlfO7DKBNjFu8Bo1Jfe4iMliOchTt6WTJyr4/OgJDU=
=ejz6
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 05 Oct 2018 07:27:28 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:22:04 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started