Debian Bug report logs -
#953587
dojo: CVE-2020-5259
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 10 Mar 2020 21:42:03 UTC
Severity: important
Tags: security, upstream
Found in version dojo/1.15.2+dfsg1-1
Fixed in version dojo/1.15.3+dfsg1-1
Done: Xavier Guimard <yadd@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#953587; Package src:dojo.
(Tue, 10 Mar 2020 21:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Tue, 10 Mar 2020 21:42:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: dojo
Version: 1.15.2+dfsg1-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for dojo.
CVE-2020-5259[0]:
| In affected versions of dojox (NPM package), the jqMix method is
| vulnerable to Prototype Pollution. Prototype Pollution refers to the
| ability to inject properties into existing JavaScript language
| construct prototypes, such as objects. An attacker manipulates these
| attributes to overwrite, or pollute, a JavaScript application object
| prototype of the base object by injecting other values. This has been
| patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-5259
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5259
[1] https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
[2] https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Xavier Guimard <yadd@debian.org>:
You have taken responsibility.
(Wed, 11 Mar 2020 05:24:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 11 Mar 2020 05:24:08 GMT) (full text, mbox, link).
Message #10 received at 953587-close@bugs.debian.org (full text, mbox, reply):
Source: dojo
Source-Version: 1.15.3+dfsg1-1
Done: Xavier Guimard <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
dojo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 953587@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated dojo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 11 Mar 2020 05:49:24 +0100
Source: dojo
Architecture: source
Version: 1.15.3+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 953585 953587
Changes:
dojo (1.15.3+dfsg1-1) unstable; urgency=medium
.
* Team upload
* New upstream version 1.15.3+dfsg1 (Closes: #953585, #953587,
CVE-2020-5258, CVE-2020-5259)
Checksums-Sha1:
e07e7994bb3d4cf69154543e2352b176610ba25b 2385 dojo_1.15.3+dfsg1-1.dsc
5af97eb549b98da7a92ef97a71c74037d777c418 30312668 dojo_1.15.3+dfsg1.orig.tar.xz
376662073908c872d2442199ff6c2a910c68d562 15292 dojo_1.15.3+dfsg1-1.debian.tar.xz
Checksums-Sha256:
822616138875e4305a0f286be4cd4ab76b9b7b7a9f68f5b1f9f5856adc727515 2385 dojo_1.15.3+dfsg1-1.dsc
4075c28dc6990f759503f3f5e566e9eb5e5e537c135c781727e589362c7697b1 30312668 dojo_1.15.3+dfsg1.orig.tar.xz
a57a00bed3a52c25a6d26a39ef70a477ff3971961ad3a5351147e401cdac1905 15292 dojo_1.15.3+dfsg1-1.debian.tar.xz
Files:
386abd93724889b7ea7c41c3041d607f 2385 javascript optional dojo_1.15.3+dfsg1-1.dsc
72b350eae67bf76635c0417ec7134b7c 30312668 javascript optional dojo_1.15.3+dfsg1.orig.tar.xz
1acd05b5fe42b54c0d19ef76033fd7b7 15292 javascript optional dojo_1.15.3+dfsg1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl5ocHgACgkQ9tdMp8mZ
7uk3VQ/+NTkekaAZsFEG1soOK+AjuorN8f85ZDu5mJwfAwWW0HNTcPYUBjudLoUn
cCoEaYUHbtsp40tVaTjKEtPJyCmrC0RGMjYOA57L3akL+lGV+3z2Y36qVzNnbDtr
em5fWd9mNOPCdpfkYRpDbp5BBZ3re1IL9d6/GMtA7CroWuqviq+E3gHXmLb/kNJI
yQW87MU8ePN+wFCFQE5Yavr+qIAaBZvXUtZpuhvG0K8gwyqhmfkBeKz4kJR0WfFJ
/B7SN9VkYHkIuexjW6bCJEUA6wAMdGSiZNOBCFZbd5E6jmWmhoM535yV2jlXgyTH
UZDI9yOzXfz12qqPStzPCPYWY+Yj9+1KEKdRhUEizOaGrSkryM3A2iuj+GMh5wXj
9vzqYZZyQYXXq7T2JykR7FtzjpmRBQS/0b8/ShFDjJdp3ltoMA7CaVaxOkwlB9N4
dItAb5sOZJRu7Rcoesxh4V6YAq+TGq+048cW0BxwPt0Y5Jtw5hdvtQMkvAbmCnqP
1IY/jNo+llXM0g9E2oL/dVg8ycKYzCJfvh70SI6dG28ZMEWnu8C8zERmRWBDtXF7
K1pqA2h6CMsoJ14GIhzWCJaJs1S0bTE7/7aqv2/smt/+KJegrEntFnMcGD0QrawL
rpwE0a89kusz9VpE0WU1QE+XY6Lp/tVU15xMN0d4jVMn5ZZl7lU=
=ggXT
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Mar 11 08:33:44 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon