Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1
From: Xavier Guimard <yadd@debian.org>
Date: Thu, 26 Sep 2019 20:11:41 +0200
Message-id: <[🔎] 156952150103.4532.14535276348945603050.reportbug@deb007.xnr.fr>
Reply-to: Xavier Guimard <yadd@debian.org>, 941227@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

node-set-value is vulnerable to prototype pollution (#941189,
CVE-2019-10747). I imported and adapted upstream patch and added a test
inspired from CVE report [1]. I think this could be safely added to next
buster point release.

Cheers,
Xavier

[1]: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213

Reply to:

Follow-Ups:
- Bug#941227: [Pkg-javascript-devel] Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1
  - From: Xavier <yadd@debian.org>

Prev by Date: Bug#940817: marked as done (transition: liblouis)
Next by Date: Bug#941227: [Pkg-javascript-devel] Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1
Previous by thread: Bug#934132: Bug 934132/apt breakage
Next by thread: Bug#941227: [Pkg-javascript-devel] Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1
Index(es):
- Date
- Thread