Debian Bug report logs -
#965283
node-lodash: CVE-2020-8203
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 18 Jul 2020 20:09:02 UTC
Severity: grave
Tags: security, upstream
Found in version node-lodash/4.17.15+dfsg-2
Fixed in version node-lodash/4.17.19+dfsg-1
Done: Xavier Guimard <yadd@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#965283; Package src:node-lodash.
(Sat, 18 Jul 2020 20:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sat, 18 Jul 2020 20:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-lodash
Version: 4.17.15+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for node-lodash.
CVE-2020-8203[0]:
| Prototype pollution attack when using _.zipObjectDeep in lodash <=
| 4.17.15.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-8203
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8203
[1] https://hackerone.com/reports/712065
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Xavier Guimard <yadd@debian.org>:
You have taken responsibility.
(Sun, 19 Jul 2020 06:51:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 19 Jul 2020 06:51:04 GMT) (full text, mbox, link).
Message #10 received at 965283-close@bugs.debian.org (full text, mbox, reply):
Source: node-lodash
Source-Version: 4.17.19+dfsg-1
Done: Xavier Guimard <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-lodash, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 965283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated node-lodash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 19 Jul 2020 08:13:53 +0200
Source: node-lodash
Architecture: source
Version: 4.17.19+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 965283
Changes:
node-lodash (4.17.19+dfsg-1) unstable; urgency=medium
.
* Team upload
* New upstream version 4.17.19+dfsg (Closes: #965283, CVE-2020-8203)
Checksums-Sha1:
8afe648e1c456481f634ea359670d6c2407580cb 2588 node-lodash_4.17.19+dfsg-1.dsc
61f62ef33f5ff389f087ed5c489349093942dfb6 41560 node-lodash_4.17.19+dfsg.orig-lodash-cli.tar.xz
ba3f4bb48bc3ca6e81a356fd97862ebcc6527239 666884 node-lodash_4.17.19+dfsg.orig.tar.xz
8335df17f4302f7415b766ab037d6df60d364806 5796 node-lodash_4.17.19+dfsg-1.debian.tar.xz
Checksums-Sha256:
0ab28a4732c59b19156b0a10e8b956bb6a1d46d57b1f974ab93deba8796756ed 2588 node-lodash_4.17.19+dfsg-1.dsc
60211e46cf49a805fced79175317505a6337b440ea3e0e37a3b78ec7d3ce7366 41560 node-lodash_4.17.19+dfsg.orig-lodash-cli.tar.xz
eefa45ae540e0946f74571d80d1e72daf290797270ad2173f39bf7d317c0a26d 666884 node-lodash_4.17.19+dfsg.orig.tar.xz
f881719d3dc14d00aacaa8d1e7f8a212a4a0bc9f60bef6aaac0f6662b4d6b913 5796 node-lodash_4.17.19+dfsg-1.debian.tar.xz
Files:
a6a34d94302e997ac93ede56c0996764 2588 javascript optional node-lodash_4.17.19+dfsg-1.dsc
b2217589333a9b2e1dd198bdfa1f3948 41560 javascript optional node-lodash_4.17.19+dfsg.orig-lodash-cli.tar.xz
5c333d30fee8a679cb5a957aaab23bf0 666884 javascript optional node-lodash_4.17.19+dfsg.orig.tar.xz
970a8253dfc02c576bac284cb8760931 5796 javascript optional node-lodash_4.17.19+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl8T5lwACgkQ9tdMp8mZ
7ul/IA/+Nr8F1hE6KSWY3gEMAgBxJXdxnqNFiyBpm3QNxAp9e+hbPutwrSDXv4YZ
eC3tRzY24OHkY0AfNCRxJqSQA5jgmSWHE+P4KuEyfqeSeN2dvwdnArI6Dajx1dO0
Kpzeg/ytt9i306k16OCcnJrqKMehWTT1T/sGgu6MoMNTpfRmyT9nrLAu56UjnvW6
pZQxZIJvAQG2Qy7Hf7gOztsRTr0BEga2/clvgl3KQh8q7J9jTn9bp4hGzf+oAD9N
BqZHF5DbOGZxPVZ0CkM0u0IgR+jbP6vrSp12K8Qi+WfykgO0RMpELyEEzaRpsN5a
xitNfbk64clkm2EKodubl4/dkVRQKBiv4aJ2j0h+Hvi4OxviFOOZwtEzHD0USsjo
A4Aw1fvuUY4MvzRnuqN4s/qTea3wchsl8XnvxPpYrFO/UJRhBOzIkFGJoxobplVY
5RmvD7bYHz5gjJKJTj4FbJ1vjFBKRAfTk8jFUv6Xv5HP0wscZH0LK7PxODxgBQCh
jq193zi8hYyEQ5hbTNumqETPG5osOGL9/CNpMnCTrVCbubj3VQVYX8akdbMmlUdL
y/pb/LoQr4Fw1IE/k3NaA6Zmu15iTjdZTdaXsObgjm883SzC4yvEtgOMF1fDljj/
Zy3tz7LhXavNMIw4wbznH//TBOgq/knzTcBCrsKWkBBDgdY8/LY=
=ODUG
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 19 09:13:01 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon