[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Le 20/07/2019 à 06:32, Paolo Greppi a écrit : > Package: node-mixin-deep > Version: 1.1.3-3 > Severity: important > > Dear Maintainer, > > node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: > https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 > https://github.com/jonschlinkert/mixin-deep/issues/6 > > Please upgrade to either 1.3.2 or 2.0.1. > > Thanks, Paolo Looking at upstream issue comment, this issue has been already reported by DSA and fixed (#898315, CVE-2018-3719) See https://salsa.debian.org/js-team/node-mixin-deep/blob/master/debian/patches/CVE-2018-3719.diff -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] automatically pulling vulnerabilities from snyk.io
Le 20/07/2019 à 07:11, Paolo Greppi a écrit : > After filing https://bugs.debian.org/932500 I realized it would be great > to have > some automation in place to automatically pull vulnerabilities from > https://snyk.io and turn them into CVE bugs in BTS. > > Thoughts ? > > Paolo Hello, our security team follows CVE and opens BTS if needed -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] automatically pulling vulnerabilities from snyk.io
After filing https://bugs.debian.org/932500 I realized it would be great to have some automation in place to automatically pull vulnerabilities from https://snyk.io and turn them into CVE bugs in BTS. Thoughts ? Paolo -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processed: tagging 932500, retitle 932500 to vulnerability: CVE-2019-10746: prototype pollution
Processing commands for cont...@bugs.debian.org: > tags 932500 + security Bug #932500 [node-mixin-deep] vulnerability: prototype pollution Added tag(s) security. > retitle 932500 vulnerability: CVE-2019-10746: prototype pollution Bug #932500 [node-mixin-deep] vulnerability: prototype pollution Changed Bug title to 'vulnerability: CVE-2019-10746: prototype pollution' from 'vulnerability: prototype pollution'. > thanks Stopping processing here. Please contact me if you need assistance. -- 932500: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932500 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: vulnerability: prototype pollution
Package: node-mixin-deep Version: 1.1.3-3 Severity: important Dear Maintainer, node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 https://github.com/jonschlinkert/mixin-deep/issues/6 Please upgrade to either 1.3.2 or 2.0.1. Thanks, Paolo -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/12 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages node-mixin-deep depends on: ii node-for-in 1.0.2-1 ii node-is-extendable 1.0.1-1 ii nodejs 10.15.2~dfsg-2 node-mixin-deep recommends no packages. node-mixin-deep suggests no packages. -- no debconf information -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Merging node-jquery and libjs-jquery source packages
Hi all, I agree to merge them. Following our policy, source package should be named jquery.js. For now we have: * node-jquery => src:node-jquery * libjs-jquery => src:jquery Then if we don't want to upload a new package, I prefer to keep src:jquery as source name Cheers, Xavier Le 19 juillet 2019 11:48:07 GMT+02:00, Pirate Praveen a écrit : >Hi, > >Historically we did not have the build tools for jquery in the archive, >so a custom build system was created to build libjs-jquery. If there is >any change in upstream build system, it will be hard to update this >build system and since the same build tools used by upstream is now >available in the archive, I don't think the original need for this >custom build system is no longer valid. > >node-jquery was just the original unbuilt source. Once we had the build >tools in Debian, I was able to build jquery 2 with tools in the archive >(rainloop wanted jquery 2 and its upstream already switched to jquery >3). libjs-jquery was already shipping jquery 3. Now I updated >node-jquery also to version 3. It is a good time to merge these two >packages. > >I think node-jquery should provide libjs-jquery now for ease of long >term maintenance. Comments? >-- >Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Merging node-jquery and libjs-jquery source packages
Hi, Historically we did not have the build tools for jquery in the archive, so a custom build system was created to build libjs-jquery. If there is any change in upstream build system, it will be hard to update this build system and since the same build tools used by upstream is now available in the archive, I don't think the original need for this custom build system is no longer valid. node-jquery was just the original unbuilt source. Once we had the build tools in Debian, I was able to build jquery 2 with tools in the archive (rainloop wanted jquery 2 and its upstream already switched to jquery 3). libjs-jquery was already shipping jquery 3. Now I updated node-jquery also to version 3. It is a good time to merge these two packages. I think node-jquery should provide libjs-jquery now for ease of long term maintenance. Comments? -- Sent from my Android device with K-9 Mail. Please excuse my brevity.-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel