Bug#969706: buster-pu: package grunt/1.0.1-8+deb10u1

To: Xavier Guimard <yadd@debian.org>, 969706@bugs.debian.org
Subject: Bug#969706: buster-pu: package grunt/1.0.1-8+deb10u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Thu, 17 Sep 2020 20:31:56 +0100
Message-id: <[🔎] 5d999e98c22e9b949083a5c581ebff9c47543660.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 969706@bugs.debian.org
In-reply-to: <[🔎] 159942900010.621220.8860505264724148088.reportbug@deb007.xnr.fr>
References: <[🔎] 159942900010.621220.8860505264724148088.reportbug@deb007.xnr.fr> <[🔎] 159942900010.621220.8860505264724148088.reportbug@deb007.xnr.fr>

Control: tags -1 + confirmed

On Sun, 2020-09-06 at 23:50 +0200, Xavier Guimard wrote:
> grunt is vulnerable to a medium CVE (CVE-2020-7729, #969668)
> 
> [ Impact ]
> The package grunt before 1.3.0 are vulnerable to Arbitrary Code
> Execution due to the default usage of the function load() instead of
> its secure replacement safeLoad() of the package js-yaml inside
> grunt.file.readYAML.

Please go ahead.

Regards,

Adam

Reply to:

References:
- Bug#969706: buster-pu: package grunt/1.0.1-8+deb10u1
  - From: Xavier Guimard <yadd@debian.org>

Prev by Date: Processed: Re: Bug#970098: buster-pu: package orocos-kdl/1.4.0-7+deb10u1
Next by Date: Processed: Re: Bug#969706: buster-pu: package grunt/1.0.1-8+deb10u1
Previous by thread: Bug#969706: buster-pu: package grunt/1.0.1-8+deb10u1
Next by thread: Processed: Re: Bug#969706: buster-pu: package grunt/1.0.1-8+deb10u1
Index(es):
- Date
- Thread