[SECURITY] [DLA 2139-1] dojo security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : dojo
Version : 1.10.2+dfsg-1+deb8u3
CVE ID : CVE-2020-5258 CVE-2020-5259
Debian Bug : 953585 953587
The following CVEs were reported against dojo:
CVE-2020-5258
In affected versions of dojo, the deepCopy method is vulnerable
to Prototype Pollution. An attacker could manipulate these
attributes to overwrite, or pollute, a JavaScript application object
prototype of the base object by injecting other values.
CVE-2020-5259
The Dojox jQuery wrapper jqMix mixin method is vulnerable to
Prototype Pollution. An attacker could manipulate these attributes
to overwrite, or pollute, a JavaScript application object prototype
of the base object by injecting other values.
For Debian 8 "Jessie", these problems have been fixed in version
1.10.2+dfsg-1+deb8u3.
We recommend that you upgrade your dojo packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Best,
Utkarsh
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl5pOJwACgkQgj6WdgbD
S5ZQPQ/+PFPxZS9AJtvHLtGX96iFSIzFH093bGvnXfyMtD9XiFp4hCap8dHD2nVE
8WoMERAAfOVnhQqx0Awae8G2nPK10Mzv7jUAcqsWzdkMMpAlGl28nfC0RJjetux4
Vn9TJ7WmSmKJKs77mXG0LLyXeiuY4K5T84/+3a25kLPmwqyo8/Nt5TBdMdXOtSsW
wXoCu8PbsChJx6f6Y1OeU6J5AKuyVyvgRsoi4UZ4l4LYNn8Z571sZAvH9lb83Ry+
IMdy+j8gGFLaNdbn4Wyx+dTwGk1qKwUidqJZoPKBINIs4sWJ/FXnNldJfkkl3qbc
rKXGmaRzITCs5QYGz/d7oOmWYeEWV6/anWcCh6xt6+nDenTX6KVM6wHlBh81rioB
7hY3OVDuUvQWuQe++QL1yNoEBQaOG3VS3C0+emaGmKXvVM5zhAyCSNKuyGV3Ia45
bZlZr2P4E4kCfxtzayAC4iuKl4RjaOT6caGU3eF7QFMafMQMPfT6OooNvgDat1F5
iVDGpt9RpMWt+NXJCZ77uGvWnJbwGBIEuiLxFuqPm2OaGt/UI9lcmA1PXVMwNB9S
3l30ICRgeq+r0P7S7A4B8jBr31uyLShBVcZKHBuAImxfnFaZ6C7zYg4fvPZygnQr
37Foml7XlO671zUGhkU9g0ZQDJWtqRC3cBWa5SJpoRlE14SN8dM=
=p7M8
-----END PGP SIGNATURE-----
Reply to: