Your message dated Sun, 19 Jul 2020 06:49:05 +0000
with message-id <e1jx38d-0009m8...@fasolo.debian.org>
and subject line Bug#965283: fixed in node-lodash 4.17.19+dfsg-1
has caused the Debian Bug report #965283,
regarding node-lodash: CVE-2020-8203
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
965283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965283
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-lodash
Version: 4.17.15+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-lodash.
CVE-2020-8203[0]:
| Prototype pollution attack when using _.zipObjectDeep in lodash <=
| 4.17.15.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-8203
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8203
[1] https://hackerone.com/reports/712065
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-lodash
Source-Version: 4.17.19+dfsg-1
Done: Xavier Guimard <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-lodash, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 965...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <y...@debian.org> (supplier of updated node-lodash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 19 Jul 2020 08:13:53 +0200
Source: node-lodash
Architecture: source
Version: 4.17.19+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Xavier Guimard <y...@debian.org>
Closes: 965283
Changes:
node-lodash (4.17.19+dfsg-1) unstable; urgency=medium
.
* Team upload
* New upstream version 4.17.19+dfsg (Closes: #965283, CVE-2020-8203)
Checksums-Sha1:
8afe648e1c456481f634ea359670d6c2407580cb 2588 node-lodash_4.17.19+dfsg-1.dsc
61f62ef33f5ff389f087ed5c489349093942dfb6 41560
node-lodash_4.17.19+dfsg.orig-lodash-cli.tar.xz
ba3f4bb48bc3ca6e81a356fd97862ebcc6527239 666884
node-lodash_4.17.19+dfsg.orig.tar.xz
8335df17f4302f7415b766ab037d6df60d364806 5796
node-lodash_4.17.19+dfsg-1.debian.tar.xz
Checksums-Sha256:
0ab28a4732c59b19156b0a10e8b956bb6a1d46d57b1f974ab93deba8796756ed 2588
node-lodash_4.17.19+dfsg-1.dsc
60211e46cf49a805fced79175317505a6337b440ea3e0e37a3b78ec7d3ce7366 41560
node-lodash_4.17.19+dfsg.orig-lodash-cli.tar.xz
eefa45ae540e0946f74571d80d1e72daf290797270ad2173f39bf7d317c0a26d 666884
node-lodash_4.17.19+dfsg.orig.tar.xz
f881719d3dc14d00aacaa8d1e7f8a212a4a0bc9f60bef6aaac0f6662b4d6b913 5796
node-lodash_4.17.19+dfsg-1.debian.tar.xz
Files:
a6a34d94302e997ac93ede56c0996764 2588 javascript optional
node-lodash_4.17.19+dfsg-1.dsc
b2217589333a9b2e1dd198bdfa1f3948 41560 javascript optional
node-lodash_4.17.19+dfsg.orig-lodash-cli.tar.xz
5c333d30fee8a679cb5a957aaab23bf0 666884 javascript optional
node-lodash_4.17.19+dfsg.orig.tar.xz
970a8253dfc02c576bac284cb8760931 5796 javascript optional
node-lodash_4.17.19+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl8T5lwACgkQ9tdMp8mZ
7ul/IA/+Nr8F1hE6KSWY3gEMAgBxJXdxnqNFiyBpm3QNxAp9e+hbPutwrSDXv4YZ
eC3tRzY24OHkY0AfNCRxJqSQA5jgmSWHE+P4KuEyfqeSeN2dvwdnArI6Dajx1dO0
Kpzeg/ytt9i306k16OCcnJrqKMehWTT1T/sGgu6MoMNTpfRmyT9nrLAu56UjnvW6
pZQxZIJvAQG2Qy7Hf7gOztsRTr0BEga2/clvgl3KQh8q7J9jTn9bp4hGzf+oAD9N
BqZHF5DbOGZxPVZ0CkM0u0IgR+jbP6vrSp12K8Qi+WfykgO0RMpELyEEzaRpsN5a
xitNfbk64clkm2EKodubl4/dkVRQKBiv4aJ2j0h+Hvi4OxviFOOZwtEzHD0USsjo
A4Aw1fvuUY4MvzRnuqN4s/qTea3wchsl8XnvxPpYrFO/UJRhBOzIkFGJoxobplVY
5RmvD7bYHz5gjJKJTj4FbJ1vjFBKRAfTk8jFUv6Xv5HP0wscZH0LK7PxODxgBQCh
jq193zi8hYyEQ5hbTNumqETPG5osOGL9/CNpMnCTrVCbubj3VQVYX8akdbMmlUdL
y/pb/LoQr4Fw1IE/k3NaA6Zmu15iTjdZTdaXsObgjm883SzC4yvEtgOMF1fDljj/
Zy3tz7LhXavNMIw4wbznH//TBOgq/knzTcBCrsKWkBBDgdY8/LY=
=ODUG
-----END PGP SIGNATURE-----
--- End Message ---
