Advisories » MGASA-2020-0232

Updated dojo packages fix security vulnerability

Publication date: 27 May 2020
Modification date: 27 May 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-5258 , CVE-2020-5259

Description

Updated dojo package fixes security vulnerabilities:

In affected versions of dojo, the deepCopy method is vulnerable to
prototype Pollution. An attacker could manipulate these attributes
to overwrite, or pollute, a JavaScript application object prototype
of the base object by injecting other values (CVE-2020-5258).

The Dojox jQuery wrapper jqMix mixin method is vulnerable to Prototype
Pollution. An attacker could manipulate these attributes to overwrite, or
pollute, a JavaScript application object prototype of the base object by
injecting other values (CVE-2020-5259).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26335
• https://www.debian.org/lts/security/2020/dla-2139
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5258
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5259

SRPMS

7/core

• dojo-1.14.6-1.mga7