[SECURITY] [DLA 2139-1] dojo security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2139-1] dojo security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Thu, 12 Mar 2020 00:44:41 +0530
Message-id: <[🔎] 9fd0e247-9439-b6a5-036f-ca59bbde433e@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : dojo
Version        : 1.10.2+dfsg-1+deb8u3
CVE ID         : CVE-2020-5258 CVE-2020-5259
Debian Bug     : 953585 953587


The following CVEs were reported against dojo:

CVE-2020-5258

    In affected versions of dojo, the deepCopy method is vulnerable
    to Prototype Pollution. An attacker could manipulate these
    attributes to overwrite, or pollute, a JavaScript application object
    prototype of the base object by injecting other values.

CVE-2020-5259

    The Dojox jQuery wrapper jqMix mixin method is vulnerable to
    Prototype Pollution. An attacker could manipulate these attributes
    to overwrite, or pollute, a JavaScript application object prototype
    of the base object by injecting other values.

For Debian 8 "Jessie", these problems have been fixed in version
1.10.2+dfsg-1+deb8u3.

We recommend that you upgrade your dojo packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Best,
Utkarsh
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl5pOJwACgkQgj6WdgbD
S5ZQPQ/+PFPxZS9AJtvHLtGX96iFSIzFH093bGvnXfyMtD9XiFp4hCap8dHD2nVE
8WoMERAAfOVnhQqx0Awae8G2nPK10Mzv7jUAcqsWzdkMMpAlGl28nfC0RJjetux4
Vn9TJ7WmSmKJKs77mXG0LLyXeiuY4K5T84/+3a25kLPmwqyo8/Nt5TBdMdXOtSsW
wXoCu8PbsChJx6f6Y1OeU6J5AKuyVyvgRsoi4UZ4l4LYNn8Z571sZAvH9lb83Ry+
IMdy+j8gGFLaNdbn4Wyx+dTwGk1qKwUidqJZoPKBINIs4sWJ/FXnNldJfkkl3qbc
rKXGmaRzITCs5QYGz/d7oOmWYeEWV6/anWcCh6xt6+nDenTX6KVM6wHlBh81rioB
7hY3OVDuUvQWuQe++QL1yNoEBQaOG3VS3C0+emaGmKXvVM5zhAyCSNKuyGV3Ia45
bZlZr2P4E4kCfxtzayAC4iuKl4RjaOT6caGU3eF7QFMafMQMPfT6OooNvgDat1F5
iVDGpt9RpMWt+NXJCZ77uGvWnJbwGBIEuiLxFuqPm2OaGt/UI9lcmA1PXVMwNB9S
3l30ICRgeq+r0P7S7A4B8jBr31uyLShBVcZKHBuAImxfnFaZ6C7zYg4fvPZygnQr
37Foml7XlO671zUGhkU9g0ZQDJWtqRC3cBWa5SJpoRlE14SN8dM=
=p7M8
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2137-1] sleuthkit security update
Next by Date: [SECURITY] [DLA 2140-1] firefox-esr security update
Previous by thread: [SECURITY] [DLA 2137-1] sleuthkit security update
Next by thread: [SECURITY] [DLA 2140-1] firefox-esr security update
Index(es):
- Date
- Thread