Bug#977735: buster-pu: package node-ini/1.3.5-1+deb10u1

To: Xavier Guimard <yadd@debian.org>, 977735@bugs.debian.org
Subject: Bug#977735: buster-pu: package node-ini/1.3.5-1+deb10u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 16 Jan 2021 18:01:27 +0000
Message-id: <[🔎] 6a77ac8ce1557262be6404275792cbde6b854875.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 977735@bugs.debian.org
In-reply-to: <160840760982.135517.4821246276549520118.reportbug@deb007.xnr.fr>
References: <160840760982.135517.4821246276549520118.reportbug@deb007.xnr.fr> <160840760982.135517.4821246276549520118.reportbug@deb007.xnr.fr>

Control: tags -1 + confirmed

On Sat, 2020-12-19 at 20:53 +0100, Xavier Guimard wrote:
> node-ini is vulnearable to CVE-2020-7788: if an attacker submits a
> malicious
> INI file to an application that parses it with ini.parse, they will
> pollute
> the prototype on the application. This can be exploited further
> depending
> on the context. (#977718)

Please go ahead.

Regards,

Adam

Reply to:

Prev by Date: Processed: Re: Bug#977735: buster-pu: package node-ini/1.3.5-1+deb10u1
Next by Date: Bug#979724: buster-pu: package libmaxminddb/1.3.2-1+deb10u1
Previous by thread: Re: 10.8 planning
Next by thread: Processed: Re: Bug#977735: buster-pu: package node-ini/1.3.5-1+deb10u1
Index(es):
- Date
- Thread