Bug 26335

Summary: dojo new security issues CVE-2020-5258 and CVE-2020-5259
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: dojo-1.14.5-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-03-12 22:12:36 CET 
Debian-LTS has issued an advisory today (March 12):
https://www.debian.org/lts/security/2020/dla-2139

The issues are fixed upstream in 1.14.6.

Mageia 7 is also affected.
David Walser 2020-03-12 22:12:48 CET

Status comment: (none) => Fixed upstream in 1.14.6
Whiteboard: (none) => MGA7TOO

Nicolas Lécureuil 2020-05-23 20:50:57 CEST

Status comment: Fixed upstream in 1.14.6 => (none)
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 2 Nicolas Lécureuil 2020-05-23 20:54:43 CEST 
Advisory:

The version of dojo provided by mageia 7 is affected by security issues.
This update upgrade dojo to its version 1.14.6


rpms:
dojo-1.14.6-1.mga7

from:
dojo-1.14.6-1.mga7

Assignee: geiger.david68210 => qa-bugs

Comment 3 David Walser 2020-05-23 20:57:28 CEST 
Advisory:
========================

Updated dojo package fixes security vulnerabilities:

In affected versions of dojo, the deepCopy method is vulnerable to Prototype
Pollution. An attacker could manipulate these attributes to overwrite, or
pollute, a JavaScript application object prototype of the base object by
injecting other values (CVE-2020-5258).

The Dojox jQuery wrapper jqMix mixin method is vulnerable to Prototype
Pollution. An attacker could manipulate these attributes to overwrite, or
pollute, a JavaScript application object prototype of the base object by
injecting other values (CVE-2020-5259).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5259
https://www.debian.org/lts/security/2020/dla-2139
Comment 4 Herman Viaene 2020-05-24 14:20:08 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 26287, so OK on clean install.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2020-05-26 03:32:43 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-05-27 11:07:30 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-05-27 11:53:59 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0232.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED