Bug#991632: buster-pu: package node-jszip/3.1.4+dfsg-1+deb10u1

To: Yadd <yadd@debian.org>, 991632@bugs.debian.org
Subject: Bug#991632: buster-pu: package node-jszip/3.1.4+dfsg-1+deb10u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Thu, 30 Sep 2021 20:45:39 +0100
Message-id: <[🔎] c6fbfe9d60cf1461df7a11a552098345fb53550a.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 991632@bugs.debian.org
In-reply-to: <162755683839.1055144.13978508853156109387.reportbug@deb007.xnr.fr>
References: <162755683839.1055144.13978508853156109387.reportbug@deb007.xnr.fr> <162755683839.1055144.13978508853156109387.reportbug@deb007.xnr.fr>

Control: tags -1 + moreinfo

On Thu, 2021-07-29 at 13:07 +0200, Yadd wrote:
> node-jszip is vulnerable to a prototype pollution (CVE-2021-23413)
> 

+  * Fix a null prototype object for this.files (Closes: CVE-2021-
23413)

As far as I can tell, you're fixing an issue by *using* a null
prototype object, whereas the changelog entry above implies that you're
removing such a use.

Regards,

Adam

Reply to:

Prev by Date: Processed: Re: Bug#992117: buster-pu: package node-tar/4.4.6+ds1-3+deb10u1
Next by Date: Bug#995415: unblock: theano/1.0.5+dfsg-3 - not really a regression
Previous by thread: Processed: Re: Bug#992117: buster-pu: package node-tar/4.4.6+ds1-3+deb10u1
Next by thread: Processed: Re: Bug#991632: buster-pu: package node-jszip/3.1.4+dfsg-1+deb10u1
Index(es):
- Date
- Thread