Debian Bug report logs -
#932500
vulnerability: CVE-2019-10746: prototype pollution
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, paolo.greppi@libpf.com, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#932500; Package node-mixin-deep.
(Sat, 20 Jul 2019 04:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Paolo Greppi <paolo.greppi@libpf.com>:
New Bug report received and forwarded. Copy sent to paolo.greppi@libpf.com, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sat, 20 Jul 2019 04:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: node-mixin-deep
Version: 1.1.3-3
Severity: important
Dear Maintainer,
node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability:
https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
https://github.com/jonschlinkert/mixin-deep/issues/6
Please upgrade to either 1.3.2 or 2.0.1.
Thanks, Paolo
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/12 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages node-mixin-deep depends on:
ii node-for-in 1.0.2-1
ii node-is-extendable 1.0.1-1
ii nodejs 10.15.2~dfsg-2
node-mixin-deep recommends no packages.
node-mixin-deep suggests no packages.
-- no debconf information
Added tag(s) security.
Request was from Paul Wise <pabs@debian.org>
to control@bugs.debian.org.
(Sat, 20 Jul 2019 04:42:03 GMT) (full text, mbox, link).
Changed Bug title to 'vulnerability: CVE-2019-10746: prototype pollution' from 'vulnerability: prototype pollution'.
Request was from Paul Wise <pabs@debian.org>
to control@bugs.debian.org.
(Sat, 20 Jul 2019 04:42:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#932500; Package node-mixin-deep.
(Sat, 20 Jul 2019 06:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Xavier <yadd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sat, 20 Jul 2019 06:33:05 GMT) (full text, mbox, link).
Message #14 received at 932500@bugs.debian.org (full text, mbox, reply):
Le 20/07/2019 à 06:32, Paolo Greppi a écrit :
> Package: node-mixin-deep
> Version: 1.1.3-3
> Severity: important
>
> Dear Maintainer,
>
> node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability:
> https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
> https://github.com/jonschlinkert/mixin-deep/issues/6
>
> Please upgrade to either 1.3.2 or 2.0.1.
>
> Thanks, Paolo
Looking at upstream issue comment, this issue has been already reported
by DSA and fixed (#898315, CVE-2018-3719)
See
https://salsa.debian.org/js-team/node-mixin-deep/blob/master/debian/patches/CVE-2018-3719.diff
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 20 11:21:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon