Debian-LTS has issued an advisory today (March 12): https://www.debian.org/lts/security/2020/dla-2139 The issues are fixed upstream in 1.14.6. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 1.14.6Whiteboard: (none) => MGA7TOO
Status comment: Fixed upstream in 1.14.6 => (none)CC: (none) => mageiaWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
Advisory: The version of dojo provided by mageia 7 is affected by security issues. This update upgrade dojo to its version 1.14.6 rpms: dojo-1.14.6-1.mga7 from: dojo-1.14.6-1.mga7
Assignee: geiger.david68210 => qa-bugs
Advisory: ======================== Updated dojo package fixes security vulnerabilities: In affected versions of dojo, the deepCopy method is vulnerable to Prototype Pollution. An attacker could manipulate these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values (CVE-2020-5258). The Dojox jQuery wrapper jqMix mixin method is vulnerable to Prototype Pollution. An attacker could manipulate these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values (CVE-2020-5259). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5258 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5259 https://www.debian.org/lts/security/2020/dla-2139
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref to bug 26287, so OK on clean install.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0232.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED