Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

node-minimist: CVE-2020-7598

Related Vulnerabilities: CVE-2020-7598  

Source

Debian Bug report logs - #953762
node-minimist: CVE-2020-7598

version graph

Package: src:node-minimist; Maintainer for src:node-minimist is Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 13 Mar 2020 04:42:01 UTC

Severity: important

Tags: security, upstream

Found in version node-minimist/1.2.0-1

Fixed in version node-minimist/1.2.5-1

Done: Xavier Guimard <yadd@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#953762; Package src:node-minimist. (Fri, 13 Mar 2020 04:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Fri, 13 Mar 2020 04:42:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: node-minimist: CVE-2020-7598
Date: Fri, 13 Mar 2020 05:38:30 +0100
Source: node-minimist
Version: 1.2.0-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for node-minimist.

CVE-2020-7598[0]:
| minimist before 1.2.2 could be tricked into adding or modifying
| properties of Object.prototype using a "constructor" or "__proto__"
| payload.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-7598
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598
[1] https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
[2] https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Regards,
Salvatore

Reply sent to Xavier Guimard <yadd@debian.org>:
You have taken responsibility. (Fri, 13 Mar 2020 06:30:02 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 13 Mar 2020 06:30:02 GMT) (full text, mbox, link).

Message #10 received at 953762-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 953762-close@bugs.debian.org
Subject: Bug#953762: fixed in node-minimist 1.2.5-1
Date: Fri, 13 Mar 2020 06:26:00 +0000
Source: node-minimist
Source-Version: 1.2.5-1
Done: Xavier Guimard <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-minimist, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 953762@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated node-minimist package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 13 Mar 2020 06:24:15 +0100
Source: node-minimist
Architecture: source
Version: 1.2.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 953762
Changes:
 node-minimist (1.2.5-1) unstable; urgency=medium
 .
   * Team upload
   * Declare compliance with policy 4.5.0
   * Bump debhelper compatibility level to 12
   * Update VCS fields to salsa
   * Use pkg-js-tools auto install
   * Add "Rules-Requires-Root: no"
   * Change section to javascript
   * New upstream version 1.2.5 (Closes: #953762, CVE-2020-7598)
   * Enable upstream test using tap
Checksums-Sha1: 
 cc120339856d924f49daedd670c474848f767239 2071 node-minimist_1.2.5-1.dsc
 24c355687da90ae0b8e65ee38334f714a133c251 8370 node-minimist_1.2.5.orig.tar.gz
 da00d1eb23d65042d22ef23ca341b29c950902f1 3112 node-minimist_1.2.5-1.debian.tar.xz
Checksums-Sha256: 
 d542734ea8ef01c2c97cf42a2d04b1b56c5a4e212816bfc7120c57e06ab5841f 2071 node-minimist_1.2.5-1.dsc
 d0e848eb0b5dbd104474578c8603182f82baab37105a49404c44bfd6a890c02a 8370 node-minimist_1.2.5.orig.tar.gz
 59f9034ec88c020b0afbd590b707c36cd6743d49417f246c293b12854453c4e5 3112 node-minimist_1.2.5-1.debian.tar.xz
Files: 
 53990e1c7ad75b51bac19f819f0decc4 2071 javascript optional node-minimist_1.2.5-1.dsc
 a29c5f4091783c67bef994425c53858d 8370 javascript optional node-minimist_1.2.5.orig.tar.gz
 4188187f53ce94a01f82f4e139e236fd 3112 javascript optional node-minimist_1.2.5-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl5rGVMACgkQ9tdMp8mZ
7ulyNg/+O9i63cxjzIHarySrKSMIlkEDSubPv1hrn37jDxf3Fu+wJVFv/16H8/xA
nZYX5dbn1vSYw1dykHrYeDIi0WLcXmFYQMtagXCQYTz30TMn34kYVrE+8uR3Xl6q
3QutRSBn/jkEgyCitf9pr/RBVqdYjDIkZ891bC25qmr/CnATwx6SflpbIn0RyumO
Ht+MeiCtRWSlURRq/JeVjvKkH0mMfBBkBCYBqPwwkJW7xUfbe5M84ufE6p1auUp5
o8zHhNWhFDF5MCriz0KzoweuR50lwl1TDOhtvMKNlVE1mTazP0T3LkGyW95COK4G
Re1h/s7rQltOF4ewItv9Dir6QRmBYDFgpZHoicNjUzqbOetbfMJ0IkrmV2B41yEK
KKhdzwSn6BgTPaRbJT5eja8vTAUCSxUK9I2Ev1KU8JCUIkUWktg5iLfdx/Y5NNjH
BvyDLOMOu9e1RHN99wwgoq3hcw0YH6p9UC2HVF6S3KBeRVlD3xfqKu6p/iGLCcAM
y4G7I15NaXA7+i/qdvUJ1O6D4OzpVqCs2yShXJrMqKlEkHHao4Qj/VYCtOGE2VRR
J79BJbm1y2YkCfLbVPcV7Vk1VmEL9ZVw15Xt7RwgwocGQQu55FtKcbib2W6Srr7A
5G4hoNGEhhHcoRsWdg1QVWfuByr5KbZ1Waf32EaEIhB2fXj9YhU=
=Dbzs
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Mar 13 08:33:52 2020; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started