Bug 26335 - dojo new security issues CVE-2020-5258 and CVE-2020-5259
Summary: dojo new security issues CVE-2020-5258 and CVE-2020-5259
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-03-12 22:12 CET by David Walser
Modified: 2020-05-27 11:53 CEST (History)
4 users (show)

See Also:
Source RPM: dojo-1.14.5-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-03-12 22:12:36 CET
Debian-LTS has issued an advisory today (March 12):
https://www.debian.org/lts/security/2020/dla-2139

The issues are fixed upstream in 1.14.6.

Mageia 7 is also affected.
David Walser 2020-03-12 22:12:48 CET

Status comment: (none) => Fixed upstream in 1.14.6
Whiteboard: (none) => MGA7TOO

Nicolas Lécureuil 2020-05-23 20:50:57 CEST

Status comment: Fixed upstream in 1.14.6 => (none)
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 2 Nicolas Lécureuil 2020-05-23 20:54:43 CEST
Advisory:

The version of dojo provided by mageia 7 is affected by security issues.
This update upgrade dojo to its version 1.14.6


rpms:
dojo-1.14.6-1.mga7

from:
dojo-1.14.6-1.mga7

Assignee: geiger.david68210 => qa-bugs

Comment 3 David Walser 2020-05-23 20:57:28 CEST
Advisory:
========================

Updated dojo package fixes security vulnerabilities:

In affected versions of dojo, the deepCopy method is vulnerable to Prototype
Pollution. An attacker could manipulate these attributes to overwrite, or
pollute, a JavaScript application object prototype of the base object by
injecting other values (CVE-2020-5258).

The Dojox jQuery wrapper jqMix mixin method is vulnerable to Prototype
Pollution. An attacker could manipulate these attributes to overwrite, or
pollute, a JavaScript application object prototype of the base object by
injecting other values (CVE-2020-5259).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5259
https://www.debian.org/lts/security/2020/dla-2139
Comment 4 Herman Viaene 2020-05-24 14:20:08 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 26287, so OK on clean install.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2020-05-26 03:32:43 CEST
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-05-27 11:07:30 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-05-27 11:53:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0232.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.