Your message dated Sat, 14 Mar 2020 18:47:18 +0000
with message-id <[email protected]>
and subject line Bug#952771: fixed in dojo 1.14.2+dfsg1-1+deb10u1
has caused the Debian Bug report #952771,
regarding dojo: CVE-2019-10785
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
952771: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952771
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dojo
Version: 1.15.0+dfsg1-1
Severity: important
Tags: security upstream
Control: found -1 1.14.2+dfsg1-1
Hi,
The following vulnerability was published for dojo.
CVE-2019-10785[0]:
| dojox is vulnerable to Cross-site Scripting in all versions before
| version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due
| to dojox.xmpp.util.xmlEncode only encoding the first occurrence of
| each character, not all of them.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10785
[1] https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
[2] https://snyk.io/vuln/SNYK-JS-DOJOX-548257
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dojo
Source-Version: 1.14.2+dfsg1-1+deb10u1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dojo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated dojo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Mar 2020 06:41:25 +0100
Source: dojo
Architecture: source
Version: 1.14.2+dfsg1-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 952771
Changes:
dojo (1.14.2+dfsg1-1+deb10u1) buster; urgency=medium
.
* Team upload
* Cleanup improper regex usage (Closes: #952771, CVE-2019-10785)
Checksums-Sha1:
95c8eb79c224b0d6ee8b89fa11792d8597ea8e9f 2411 dojo_1.14.2+dfsg1-1+deb10u1.dsc
94c78d8d226bb56174cca7bedf2e19049e155e36 15492
dojo_1.14.2+dfsg1-1+deb10u1.debian.tar.xz
Checksums-Sha256:
4960706ca8ddc582b970a6b9792d7ef7a365c8607396548ed9927fd616f43496 2411
dojo_1.14.2+dfsg1-1+deb10u1.dsc
c27503a09dd0053a8e6ad6981801800a5013072082c6eacea6fb904f9db4397c 15492
dojo_1.14.2+dfsg1-1+deb10u1.debian.tar.xz
Files:
9c919e80c0249f48a037140eb8ed46cf 2411 javascript optional
dojo_1.14.2+dfsg1-1+deb10u1.dsc
3bf2ea31c6765a0de3afcff1c04bf6a1 15492 javascript optional
dojo_1.14.2+dfsg1-1+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl5ip8IACgkQ9tdMp8mZ
7umKjg/9GQcOxIzgF0+prAHMaCzNo3icEnFzDHwWEVeyLv+vd+MYyDW35YmK0ook
W9Tx2yARslLExeXe/FwFG4rGI1fsacfNqsqEiF2LfawE5uWKiD/gsxeyMtVw7dmj
GJeVdzzc0BBH+QvaAwEhTmjqZ6CRJH+T0vHYOiSP35kkl0DgmkegKOHnZiSilBwU
vS7dFqizufETsj7X6ofxlpdh+IhDA30m16K+4HFB3kFtPaB1pR9KSceD0Y8bjndb
+cyvGqbeb9/MwmSw3oDBnH75mV2vkx5SetWkKWub8z+NBZ52e6F2fiCyTcOu0p6y
fApAoyD/8w8XLwVF1OPcyycrUTe6UQ448duRDT5GXkEgM6klGe1xwMPQx/Q8MYXH
ijOjZJM3rLUmDvl9m/dVJ3pMlOQqj+ki+EMdXAdeozPgG8/sf/ADyatJNhlS0cl/
AICNn/gnHXYkdQHlRe1x+A5kIm8lo+7NANZvU7C0yhVkKjtVTV2OoQAphdlz7CU0
0bJRa2p7SjwLD4G1DxNqDrA3PiWCEjzZifISqMK7wh+nFVzLlRpmBDA1kfHSYxh+
ujxvl1PaofE4aoCbNWUM0s7/kFZRwo6KRr43FkV0l6xpRoCrApOGBbwp3Fh6a3zG
W3F8ifTwU/rciuQdRINwCFT0AwK/qVwuTDlYTfBRISA0Mj8ulxg=
=oOuS
-----END PGP SIGNATURE-----
--- End Message ---
