[Pkg-javascript-devel] Bug#926616: Bug#926616: CVE-2018-3750: Prototype Pollution
Xavier
yadd at debian.org
Mon Apr 8 07:07:39 BST 2019
Control: tags -1 + security
Le 08/04/2019 à 00:22, Jeff Cliff a écrit :
> Package: node-deep-extend
> Version: 0.4.1-1
> Severity: important
>
> Dear Maintainer,
>
> As per the ubuntu bug report:
>
> from https://snyk.io/vuln/npm:deep-extend:20180409 :
>
> deep-extend "all the listed modules can be tricked into modifying the prototype of "Object"
> when the attacker control part of the structure passed to these function."
>
> This is verifiably true on at least buster, given the PoC listed in the above URL, but
> since it's the same deep-extend in sid, it's probably the same there.
>
> The following commit apparently fixes this: (though I haven't verified that)
>
> https://github.com/unclechu/node-deep-extend/commit/433ee51ed606f4e1867ece57b6ff5a47bebb492f
Hello,
this issue is referenced here in
https://security-tracker.debian.org/tracker/CVE-2018-3750 and marked as
"unimportant"
The commit that fix this is:
https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
More information about the Pkg-javascript-devel
mailing list