Bug 27974

Summary: nodejs-minimist new security issue CVE-2020-7598
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: joequant, mageia, ouaurelien, smelror
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-7598
Whiteboard:
Source RPM: nodejs-minimist-1.2.0-4.mga8.src.rpm CVE: CVE-2020-7598
Status comment: Fixed upstream in 1.2.2

Description Zombie Ryushu 2020-12-29 11:00:49 CET 
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
Zombie Ryushu 2020-12-29 11:01:00 CET

CVE: (none) => CVE-2020-7598

David Walser 2020-12-29 17:13:49 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 1.2.2
Summary: minimist security issue CVE-2020-7598 => nodejs-minimist new security issue CVE-2020-7598

Comment 1 Aurelien Oudelet 2020-12-29 21:13:47 CET 
A nobody package, assigning globally.
CC'd other nodejs packagers.

CC: (none) => joequant, ouaurelien, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2020-12-30 23:36:53 CET 
new version 1.2.5 pushed in cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => mageia

Comment 3 David Walser 2021-07-01 18:27:55 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: NEW => RESOLVED