* [Buildroot] [PATCH 1/2] package/chartjs: move 'v' version prefix out of CHARTJS_VERSION
@ 2021-01-19 15:46 Thomas De Schampheleire
2021-01-19 15:46 ` [Buildroot] [PATCH 2/2] package/chartjs: security bump to 2.9.4 Thomas De Schampheleire
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Thomas De Schampheleire @ 2021-01-19 15:46 UTC (permalink / raw)
To: buildroot
From: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
chartjs 2.9.3 has a security vulnerability (CVE-2020-7746) which is not
detected by the CVE scripts, presumably because our version variable starts
with a 'v'.
Move that 'v' prefix out of the version variable to fix that.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
---
package/chartjs/chartjs.hash | 2 +-
package/chartjs/chartjs.mk | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/chartjs/chartjs.hash b/package/chartjs/chartjs.hash
index d2426ea614..a029d16ab1 100644
--- a/package/chartjs/chartjs.hash
+++ b/package/chartjs/chartjs.hash
@@ -1,3 +1,3 @@
# Locally computed:
-sha256 8079d8fd39131fcfaec33f1c7799412bcf8e051e25b10bd6e37fc16159417aa1 chartjs-v2.9.3.tar.gz
+sha256 8079d8fd39131fcfaec33f1c7799412bcf8e051e25b10bd6e37fc16159417aa1 chartjs-2.9.3.tar.gz
sha256 7b43caae91f31b18dc81fae6e0f7aa1acbecaa6d84e3249905cbe15308307d67 LICENSE.md
diff --git a/package/chartjs/chartjs.mk b/package/chartjs/chartjs.mk
index 171e0a4a7c..960b3e24af 100644
--- a/package/chartjs/chartjs.mk
+++ b/package/chartjs/chartjs.mk
@@ -4,8 +4,8 @@
#
################################################################################
-CHARTJS_VERSION = v2.9.3
-CHARTJS_SITE = $(call github,chartjs,Chart.js,$(CHARTJS_VERSION))
+CHARTJS_VERSION = 2.9.3
+CHARTJS_SITE = $(call github,chartjs,Chart.js,v$(CHARTJS_VERSION))
CHARTJS_LICENSE = MIT
CHARTJS_LICENSE_FILES = LICENSE.md
--
2.26.2
^ permalink raw reply related [flat|nested] 6+ messages in thread* [Buildroot] [PATCH 2/2] package/chartjs: security bump to 2.9.4
2021-01-19 15:46 [Buildroot] [PATCH 1/2] package/chartjs: move 'v' version prefix out of CHARTJS_VERSION Thomas De Schampheleire
@ 2021-01-19 15:46 ` Thomas De Schampheleire
2021-01-19 17:57 ` Peter Korsgaard
2021-02-04 15:34 ` Peter Korsgaard
2021-01-19 17:57 ` [Buildroot] [PATCH 1/2] package/chartjs: move 'v' version prefix out of CHARTJS_VERSION Peter Korsgaard
2021-02-04 15:34 ` Peter Korsgaard
2 siblings, 2 replies; 6+ messages in thread
From: Thomas De Schampheleire @ 2021-01-19 15:46 UTC (permalink / raw)
To: buildroot
From: Joeri Barbarien <joeri.barbarien@nokia.com>
CVE-2020-7746 (https://nvd.nist.gov/vuln/detail/CVE-2020-7746)
The options parameter is not properly sanitized when it is processed.
When the options are processed, the existing options (or the defaults
options) are deeply merged with provided options. However, during this
operation, the keys of the object being set are not checked, leading to
a prototype pollution.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
---
package/chartjs/chartjs.hash | 2 +-
package/chartjs/chartjs.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/chartjs/chartjs.hash b/package/chartjs/chartjs.hash
index a029d16ab1..de4d6d4ebf 100644
--- a/package/chartjs/chartjs.hash
+++ b/package/chartjs/chartjs.hash
@@ -1,3 +1,3 @@
# Locally computed:
-sha256 8079d8fd39131fcfaec33f1c7799412bcf8e051e25b10bd6e37fc16159417aa1 chartjs-2.9.3.tar.gz
+sha256 9ef3697e279a585c79730f35dba16ad4e24ddeed49a150adb341c31f191fb78e chartjs-2.9.4.tar.gz
sha256 7b43caae91f31b18dc81fae6e0f7aa1acbecaa6d84e3249905cbe15308307d67 LICENSE.md
diff --git a/package/chartjs/chartjs.mk b/package/chartjs/chartjs.mk
index 960b3e24af..82c86dc6cc 100644
--- a/package/chartjs/chartjs.mk
+++ b/package/chartjs/chartjs.mk
@@ -4,7 +4,7 @@
#
################################################################################
-CHARTJS_VERSION = 2.9.3
+CHARTJS_VERSION = 2.9.4
CHARTJS_SITE = $(call github,chartjs,Chart.js,v$(CHARTJS_VERSION))
CHARTJS_LICENSE = MIT
CHARTJS_LICENSE_FILES = LICENSE.md
--
2.26.2
^ permalink raw reply related [flat|nested] 6+ messages in thread* [Buildroot] [PATCH 2/2] package/chartjs: security bump to 2.9.4
2021-01-19 15:46 ` [Buildroot] [PATCH 2/2] package/chartjs: security bump to 2.9.4 Thomas De Schampheleire
@ 2021-01-19 17:57 ` Peter Korsgaard
2021-02-04 15:34 ` Peter Korsgaard
1 sibling, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-01-19 17:57 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin@gmail.com> writes:
> From: Joeri Barbarien <joeri.barbarien@nokia.com>
> CVE-2020-7746 (https://nvd.nist.gov/vuln/detail/CVE-2020-7746)
> The options parameter is not properly sanitized when it is processed.
> When the options are processed, the existing options (or the defaults
> options) are deeply merged with provided options. However, during this
> operation, the keys of the object being set are not checked, leading to
> a prototype pollution.
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/2] package/chartjs: security bump to 2.9.4
2021-01-19 15:46 ` [Buildroot] [PATCH 2/2] package/chartjs: security bump to 2.9.4 Thomas De Schampheleire
2021-01-19 17:57 ` Peter Korsgaard
@ 2021-02-04 15:34 ` Peter Korsgaard
1 sibling, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-02-04 15:34 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin@gmail.com> writes:
> From: Joeri Barbarien <joeri.barbarien@nokia.com>
> CVE-2020-7746 (https://nvd.nist.gov/vuln/detail/CVE-2020-7746)
> The options parameter is not properly sanitized when it is processed.
> When the options are processed, the existing options (or the defaults
> options) are deeply merged with provided options. However, during this
> operation, the keys of the object being set are not checked, leading to
> a prototype pollution.
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Committed to 2020.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/2] package/chartjs: move 'v' version prefix out of CHARTJS_VERSION
2021-01-19 15:46 [Buildroot] [PATCH 1/2] package/chartjs: move 'v' version prefix out of CHARTJS_VERSION Thomas De Schampheleire
2021-01-19 15:46 ` [Buildroot] [PATCH 2/2] package/chartjs: security bump to 2.9.4 Thomas De Schampheleire
@ 2021-01-19 17:57 ` Peter Korsgaard
2021-02-04 15:34 ` Peter Korsgaard
2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-01-19 17:57 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin@gmail.com> writes:
> From: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> chartjs 2.9.3 has a security vulnerability (CVE-2020-7746) which is not
> detected by the CVE scripts, presumably because our version variable starts
> with a 'v'.
> Move that 'v' prefix out of the version variable to fix that.
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/2] package/chartjs: move 'v' version prefix out of CHARTJS_VERSION
2021-01-19 15:46 [Buildroot] [PATCH 1/2] package/chartjs: move 'v' version prefix out of CHARTJS_VERSION Thomas De Schampheleire
2021-01-19 15:46 ` [Buildroot] [PATCH 2/2] package/chartjs: security bump to 2.9.4 Thomas De Schampheleire
2021-01-19 17:57 ` [Buildroot] [PATCH 1/2] package/chartjs: move 'v' version prefix out of CHARTJS_VERSION Peter Korsgaard
@ 2021-02-04 15:34 ` Peter Korsgaard
2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2021-02-04 15:34 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin@gmail.com> writes:
> From: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> chartjs 2.9.3 has a security vulnerability (CVE-2020-7746) which is not
> detected by the CVE scripts, presumably because our version variable starts
> with a 'v'.
> Move that 'v' prefix out of the version variable to fix that.
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Committed to 2020.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-02-04 15:34 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-19 15:46 [Buildroot] [PATCH 1/2] package/chartjs: move 'v' version prefix out of CHARTJS_VERSION Thomas De Schampheleire
2021-01-19 15:46 ` [Buildroot] [PATCH 2/2] package/chartjs: security bump to 2.9.4 Thomas De Schampheleire
2021-01-19 17:57 ` Peter Korsgaard
2021-02-04 15:34 ` Peter Korsgaard
2021-01-19 17:57 ` [Buildroot] [PATCH 1/2] package/chartjs: move 'v' version prefix out of CHARTJS_VERSION Peter Korsgaard
2021-02-04 15:34 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.