Your message dated Sun, 20 Sep 2020 11:32:08 +0000
with message-id <[email protected]>
and subject line Bug#969309: fixed in node-bl 1.1.2-1+deb10u1
has caused the Debian Bug report #969309,
regarding node-bl: CVE-2020-8244
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
969309: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969309
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-bl
Version: 4.0.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-bl.
CVE-2020-8244[0]:
| A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and
| <2.2.1 which could allow an attacker to supply user input (even
| typed) that if it ends up in consume() argument and can become
| negative, the BufferList state can be corrupted, tricking it into
| exposing uninitialized memory via regular .slice() calls.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-8244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244
[1] https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190
[2] https://hackerone.com/reports/966347
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-bl
Source-Version: 1.1.2-1+deb10u1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-bl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-bl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 31 Aug 2020 10:35:09 +0200
Source: node-bl
Architecture: source
Version: 1.1.2-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 969309
Changes:
node-bl (1.1.2-1+deb10u1) buster; urgency=medium
.
* Team upload
* Add patch to fix over-read vulnerability (Closes: #969309, CVE-2020-8244)
Checksums-Sha1:
8c3d245541018e8c8eb609f6955caafcaeab6a02 2030 node-bl_1.1.2-1+deb10u1.dsc
bd40ee59a36c9bb81eb3b3fff57b913969850a0a 3676
node-bl_1.1.2-1+deb10u1.debian.tar.xz
Checksums-Sha256:
7e3615359b0b8ca8c52a221a0b16a5eecd673fac779e3757bc8792a857b2a562 2030
node-bl_1.1.2-1+deb10u1.dsc
f464fbd11e8a1dbb188ec1b98c7db300c63c790f5a5281dd1d765b6ef6f1cdd5 3676
node-bl_1.1.2-1+deb10u1.debian.tar.xz
Files:
bceab7a07b0ac6d0f2a0fef9b96caa4f 2030 web extra node-bl_1.1.2-1+deb10u1.dsc
7b67c096f3415538263619f45ca945e7 3676 web extra
node-bl_1.1.2-1+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl9m2J4ACgkQ9tdMp8mZ
7unJrQ//WYiRazZtTtHoRRQ+AM2/guGpGip9/hCcvlkCUseMA2WjEkrq5mGFKEjF
gYUNHYmP2YVetETkPLhAeEsurkAywH8ATEcZb/cpdVbe+lgUtV5v9o9JrA1qTb/g
krQcE0lJ2y6TH/NaaXqToh+cXYUesHzz3a2yJl21QRDudXhe5aBiPilBwn6q3gw8
BkqrdCwbrU59Pa+KJzOuWHQLJeCPBaHQ//GUqSmrD7tyHmlLYA8qMeu6w2SKlr/Z
ahM28FRW//BrVykZYQflC7Ffc4X+KQSjhFSa3t1PRSZRrYFO7cZSh9d/mJBs5JRU
RmuWDy9dvKYiVQ6E4fF1EVWmjLxtcfPzrP0NVZstjltVaz5LRLvRQ3JydiE+nOji
86Q98NogHV7rjOJ2kA41J/l6Qhthsgo8FoENAjhhtW3Zmk1NyAcJYD9gGTAaXd+e
63d2aClTVSGAwUEQMBIylYv443P0paPGLRPc/Dxsg6Rhwrdl0NXACMY/m6vdBwq2
q0ykcvtxJGyz41MAiw220XkJbUza5EmIAzEEC5T1AQ/nUODEUFw/g7vwb5KdVzNg
ZAsjGT8INi0NztivoLfKTrXAkdgE1W8x37bMRu+epu+P/lVqhXA5HtVIwufG7+bv
9cMZCLuQWy4e6fHfVHZIgGVRvuyDh7jzHa4QQ22hXZ1li7qURNE=
=/Rm9
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
