Re: node-yarnpkg: please update backport to fix CVE-2020-8131
Le 26/04/2020 à 08:05, Greg Price a écrit :
> Hello,
>
> Thanks for backporting yarnpkg (source node-yarnpkg) to
> buster-backports, with version 1.19.1.
>
> There is now a 1.22.4 in testing:
>
> stable: 1.13.0-1+deb10u1
> stable-bpo: 1.19.1-1~bpo10+1
> testing: 1.22.4-2
> unstable: 1.22.4-2
>
> and it fixes a rather worrying security vulnerability:
> https://security-tracker.debian.org/tracker/CVE-2020-8131
>
>> Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows
> attackers to write to any path on the filesystem and potentially lead to
> arbitrary code execution by forcing the user to install a malicious package.
>
> Would you please update the backport to the new version from testing?
>
> Thanks, kind regards,
> Greg
Hi,
this requires node-gulp4 which is waiting for acceptance
(https://ftp-master.debian.org/backports-new.html)
Cheers,
Xavier
Reply to: