Your message dated Wed, 26 Jan 2022 17:22:12 +0100
with message-id <YfF1NN4/[email protected]>
and subject line Accepted node-cached-path-relative 1.1.0+~1.0.0-1 (source)
into unstable
has caused the Debian Bug report #1004338,
regarding node-cached-path-relative: CVE-2021-23518 - prototype pollution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1004338: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004338
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-cached-path-relative
Version: 1.0.2-3
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Hi,
The following vulnerability was published for node-cached-path-relative.
CVE-2021-23518[0]:
| The package cached-path-relative before 1.1.0 are vulnerable to
| Prototype Pollution via the cache variable that is set as {} instead
| of Object.create(null) in the cachedPathRelative function, which
| allows access to the parent prototype properties when the object is
| used to create the cached relative path. When using the origin path as
| __proto__, the attribute of the object is accessed instead of a path.
| **Note:** This vulnerability derives from an incomplete fix in
| https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23518
Please adjust the affected versions in the BTS as needed.
Note: results from incomplete fix for
https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-3-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: node-cached-path-relative
Source-Version: 1.1.0+~1.0.0-1
----- Forwarded message from Debian FTP Masters
<[email protected]> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 26 Jan 2022 12:30:15 +0100
Source: node-cached-path-relative
Architecture: source
Version: 1.1.0+~1.0.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Changes:
node-cached-path-relative (1.1.0+~1.0.0-1) unstable; urgency=medium
.
* Team upload
* Embed typescript declarations and repack
* New upstream release 1.1.0 (Closes: CVE-2021-23518)
Checksums-Sha1:
45290d4f2b3bc4cf3161d03b54b50bce0667d25f 2653
node-cached-path-relative_1.1.0+~1.0.0-1.dsc
fdbf897f9e4d83516f0d27839ea6cee22c9a04e9 1636
node-cached-path-relative_1.1.0+~1.0.0.orig-types-cached-path-relative.tar.gz
865576dfef39c0d6a7defde794d078f5308e3ef3 1990
node-cached-path-relative_1.1.0+~1.0.0.orig.tar.gz
2cf55cf878386e7f0de226cedd7a26b09670d864 3284
node-cached-path-relative_1.1.0+~1.0.0-1.debian.tar.xz
Checksums-Sha256:
8dd33c6b21d733584e80133ea21e53b77a6227da76c41172df396acbf8415992 2653
node-cached-path-relative_1.1.0+~1.0.0-1.dsc
c1bff990389d021d2e6cd12d58f223cfa30eaf3ee3c4c803d1bf6a7395fcac92 1636
node-cached-path-relative_1.1.0+~1.0.0.orig-types-cached-path-relative.tar.gz
e7d2caf69d25de104a9fdacf527c5c4ce9f642e38822c111809589c8b216c365 1990
node-cached-path-relative_1.1.0+~1.0.0.orig.tar.gz
3ad308bd8c9ec263db53fe19fc15badb3dc78d13f1d57941e6d8745565e981ba 3284
node-cached-path-relative_1.1.0+~1.0.0-1.debian.tar.xz
Files:
bac21c42e6d20f25b33f12b2ceb6500d 2653 javascript optional
node-cached-path-relative_1.1.0+~1.0.0-1.dsc
a12482814079b561dff8fa7ea61fb0af 1636 javascript optional
node-cached-path-relative_1.1.0+~1.0.0.orig-types-cached-path-relative.tar.gz
338c682882ea82b05c1f197d289ebbdc 1990 javascript optional
node-cached-path-relative_1.1.0+~1.0.0.orig.tar.gz
4dc9e16d62bfb9262c376cbd308142cb 3284 javascript optional
node-cached-path-relative_1.1.0+~1.0.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmHxRhQACgkQ9tdMp8mZ
7umJDw//SOH3bQFXG//T3Yx68C/OpjhRJPynp+EY8OmTKfYIaOAYgz1ap3fuUUy5
kAeDfM9WieI1OwJR1Y7bKw12uvH6FzfHOiuCfSmuSS+cz7mDjgXTHAQp0jLfb7y1
hMNJyLziMmoqYT7olh3YKloiQlWwBixBbIOkIbWSiOMze5hsw4vTahGaGpyBsDi5
HcOfjtUxH6VAGnXx7IF6qPOxLzMBKgYcM2m81FFWprIKHyJlfhAdusAdYb8g3BP0
/RW9kfYwGH/kjlT+tylK/dYiKjIrIe0xdPofT4wSts3z0/qpYEgHwfJ7n3PwNcbX
52LuOX3Glo6Dbw5Afz54tfjZDUv+FhoiFhbx/JmlArfwkKE3F1ZACFqc/zQYwGZ3
MmHMyKKI55eBHrOQOQx/4LkrIvtWwbFBC1hzYAtNxWC+NEPktKbipiMbqXmEqkDG
+fCxomyI1A6hgcBNYedHH7ZXr5M6FmP2AN4RAGPuhrZid/yGYdR7gg8VuY6GSUDT
0m5uJxa3jBNKS+96O6E/sMkxwTkB23AWeTuK4+oEwBF8oLBoSyR8FQjq7m71XINg
fDcVYo6elEZJ13gu/EdIctcmND3OIIbGPTtJ7mnTRqhJyX4ZkSb58JU+V6axpe1j
ejCoBzmfAn1nPbI5slVcU/PhBAY3nJogzNnFOPoRiCdq4wz4ECA=
=1boK
-----END PGP SIGNATURE-----
----- End forwarded message -----
--- End Message ---
