Bug#927422: stretch-pu: package jquery/3.1.1-2+deb9u1

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#927422: stretch-pu: package jquery/3.1.1-2+deb9u1

Xavier Guimard-3
Package: release.debian.org
Severity: normal
Tags: stretch
User: [hidden email]
Usertags: pu

Hi all,

I fixed https://snyk.io/vuln/SNYK-JS-JQUERY-174006 vulnerability for
Buster. Here is the fix for Stretch. It just avoid Object.prototype
pollution without chnaging behavior. Could you insert it in next stretch
update ?

Cheers,
Xavier

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (600, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

jquery_3.1.1-2+deb9u1.debdiff (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#927422: stretch-pu: package jquery/3.1.1-2+deb9u1

Salvatore Bonaccorso-4
Hi,

On Fri, Apr 19, 2019 at 03:01:16PM +0200, Xavier Guimard wrote:

> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: [hidden email]
> Usertags: pu
>
> Hi all,
>
> I fixed https://snyk.io/vuln/SNYK-JS-JQUERY-174006 vulnerability for
> Buster. Here is the fix for Stretch. It just avoid Object.prototype
> pollution without chnaging behavior. Could you insert it in next stretch
> update ?

CVE-2019-11358 was assigned for the respective issue.

Regards,
Salvatore

Reply | Threaded
Open this post in threaded view
|

Bug#927422: stretch-pu: package jquery/3.1.1-2+deb9u1

Adam D. Barratt
Control: tags -1 + confirmed

On Sat, 2019-04-20 at 08:10 +0200, Salvatore Bonaccorso wrote:

> Hi,
>
> On Fri, Apr 19, 2019 at 03:01:16PM +0200, Xavier Guimard wrote:
> > I fixed https://snyk.io/vuln/SNYK-JS-JQUERY-174006 vulnerability
> > for
> > Buster. Here is the fix for Stretch. It just avoid Object.prototype
> > pollution without chnaging behavior. Could you insert it in next
> > stretch
> > update ?
>
> CVE-2019-11358 was assigned for the respective issue.

Please add that to the changelog and go ahead with the upload, bearing
in mind that the window for 9.9 closes during this weekend.

Regards,

Adam

Reply | Threaded
Open this post in threaded view
|

Bug#927422: jquery 3.1.1-2+deb9u1 flagged for acceptance

Adam D. Barratt
In reply to this post by Xavier Guimard-3
Control: tags -1 + pending

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian stretch.

Thanks for your contribution!

Upload details
==============

Package: jquery
Version: 3.1.1-2+deb9u1

Explanation: prevent Object.prototype pollution [CVE-2019-11358]