26227 – nodejs-set-value new security issue CVE-2019-10747

Bug 26227 - nodejs-set-value new security issue CVE-2019-10747

Summary: nodejs-set-value new security issue CVE-2019-10747

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-02-20 22:05 CET by David Walser
Modified:	2024-10-29 03:37 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	nodejs-set-value-3.0.0-3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-02-20 22:05:19 CET

Fedora has issued an advisory on February 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/

The issue is fixed upstream in 3.0.1.

Mageia 7 is also affected.

David Walser 2020-02-20 22:10:31 CET

Whiteboard: (none) => MGA7TOO

David Walser 2020-02-21 17:53:17 CET

Status comment: (none) => Fixed upstream in 3.0.1

Comment 1 Nicolas Lécureuil 2020-05-22 15:39:26 CEST

Advisory:
This update upgrade nodejs-set-value to version 3.0.2 to fix CVE-2019-10747.

References:
https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E
https://snyk.io/vuln/SNYK-JS-SETVALUE-450213

rpms:
nodejs-set-value-3.0.2-1.mga7

from:
nodejs-set-value-3.0.2-1.mga7

Status comment: Fixed upstream in 3.0.1 => (none)
Version: Cauldron => 7
CC: (none) => mageia
Assignee: smelror => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 2 David Walser 2020-05-22 19:55:19 CEST

Advisory:
========================

Updated nodejs-set-value package fixes security vulnerability:

A vulnerability was found in NOdejs set-value, where set-value is vulnerable to
Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could
be tricked into adding or modifying properties of Object.prototype using any of
the constructor, prototype and _proto_ payloads (CVE-2019-10747).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/

Comment 3 Herman Viaene 2020-05-24 15:08:00 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues.
No previous updates.
# urpmq --whatrequires-recursive nodejs-set-value
nodejs-engine
nodejs-set-value
This is java , so OK on clean install as usual

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-05-26 03:06:38 CEST

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-05-27 02:10:05 CEST

Status comment: (none) => advisory
Keywords: (none) => advisory

David Walser 2020-05-27 02:27:49 CEST

Status comment: advisory => (none)

Comment 5 Mageia Robot 2020-05-27 02:47:14 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0230.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 6 Alex Baldwin 2024-10-29 03:18:47 CET Comment hidden (spam)

(In reply to Herman Viaene from comment #3)
> MGA7-64 Plasma on Lenovo B50
> No installation issues.
> No previous updates.
> # urpmq --whatrequires-recursive nodejs-set-value
> nodejs-engine
> nodejs-set-value
> This is java , so OK on clean install as usual
By following these steps and seeking help from the community, you should be able to resolve the nodejs-set-value dependency issue and successfully install the necessary packages.
https://basketballstarsfree.com

CC: (none) => audreyjustice16

katnatek 2024-10-29 03:37:29 CET

CC: audreyjustice16 => (none)

Note You need to log in before you can comment on or make changes to this bug.