Bug 26227 - nodejs-set-value new security issue CVE-2019-10747
Summary: nodejs-set-value new security issue CVE-2019-10747
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-02-20 22:05 CET by David Walser
Modified: 2020-05-27 02:47 CEST (History)
4 users (show)

See Also:
Source RPM: nodejs-set-value-3.0.0-3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-02-20 22:05:19 CET 
Fedora has issued an advisory on February 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/

The issue is fixed upstream in 3.0.1.

Mageia 7 is also affected.
David Walser 2020-02-20 22:10:31 CET

Whiteboard: (none) => MGA7TOO

David Walser 2020-02-21 17:53:17 CET

Status comment: (none) => Fixed upstream in 3.0.1

Comment 1 Nicolas Lécureuil 2020-05-22 15:39:26 CEST 
Advisory:
This update upgrade nodejs-set-value to version 3.0.2 to fix CVE-2019-10747.

References:
https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E
https://snyk.io/vuln/SNYK-JS-SETVALUE-450213

rpms:
nodejs-set-value-3.0.2-1.mga7

from:
nodejs-set-value-3.0.2-1.mga7

Status comment: Fixed upstream in 3.0.1 => (none)
Version: Cauldron => 7
CC: (none) => mageia
Assignee: smelror => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 2 David Walser 2020-05-22 19:55:19 CEST 
Advisory:
========================

Updated nodejs-set-value package fixes security vulnerability:

A vulnerability was found in NOdejs set-value, where set-value is vulnerable to
Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could
be tricked into adding or modifying properties of Object.prototype using any of
the constructor, prototype and _proto_ payloads (CVE-2019-10747).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/
Comment 3 Herman Viaene 2020-05-24 15:08:00 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
No previous updates.
# urpmq --whatrequires-recursive nodejs-set-value
nodejs-engine
nodejs-set-value
This is java , so OK on clean install as usual

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-05-26 03:06:38 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-05-27 02:10:05 CEST

Keywords: (none) => advisory
Status comment: (none) => advisory

David Walser 2020-05-27 02:27:49 CEST

Status comment: advisory => (none)

Comment 5 Mageia Robot 2020-05-27 02:47:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0230.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.