Re: node-yarnpkg: please update backport to fix CVE-2020-8131

To: Greg Price <gnprice@gmail.com>
Cc: debian-backports@lists.debian.org, Utkarsh Gupta <guptautkarsh2102@gmail.com>, Pirate Praveen <praveen@debian.org>
Subject: Re: node-yarnpkg: please update backport to fix CVE-2020-8131
From: Xavier <yadd@debian.org>
Date: Sun, 26 Apr 2020 08:43:14 +0200
Message-id: <[🔎] e3417872-a233-e099-9696-ebf0896c12a4@debian.org>
In-reply-to: <[🔎] CAFCC3evekt77ce5RMYA-Q-sKJsaC8B589m9xH2PyAccDkhiPxA@mail.gmail.com>
References: <[🔎] CAFCC3evekt77ce5RMYA-Q-sKJsaC8B589m9xH2PyAccDkhiPxA@mail.gmail.com>

Le 26/04/2020 à 08:05, Greg Price a écrit :
> Hello,
> 
> Thanks for backporting yarnpkg (source node-yarnpkg) to
> buster-backports, with version 1.19.1.
> 
> There is now a 1.22.4 in testing:
> 
> stable: 1.13.0-1+deb10u1
> stable-bpo: 1.19.1-1~bpo10+1
> testing: 1.22.4-2
> unstable: 1.22.4-2
> 
> and it fixes a rather worrying security vulnerability:
> https://security-tracker.debian.org/tracker/CVE-2020-8131
> 
>> Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows
> attackers to write to any path on the filesystem and potentially lead to
> arbitrary code execution by forcing the user to install a malicious package.
> 
> Would you please update the backport to the new version from testing?
> 
> Thanks, kind regards,
> Greg

Hi,

this requires node-gulp4 which is waiting for acceptance
(https://ftp-master.debian.org/backports-new.html)

Cheers,
Xavier

Reply to:

Follow-Ups:
- Re: node-yarnpkg: please update backport to fix CVE-2020-8131
  - From: Greg Price <gnprice@gmail.com>

References:
- node-yarnpkg: please update backport to fix CVE-2020-8131
  - From: Greg Price <gnprice@gmail.com>

Prev by Date: node-yarnpkg: please update backport to fix CVE-2020-8131
Next by Date: Re: php-mailparse - please make a package with version 3.1
Previous by thread: node-yarnpkg: please update backport to fix CVE-2020-8131
Next by thread: Re: node-yarnpkg: please update backport to fix CVE-2020-8131
Index(es):
- Date
- Thread