Bug 770151 (CVE-2020-26296)

Summary:	<www-apps/kibana-bin-{6.8.15,7.10.2}: XSS in Vega expressions (CVE-2020-26296)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	erkiferenc, hydrapolic, proxy-maint
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
See Also:	https://github.com/gentoo/gentoo/pull/20115
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-02-12 01:47:02 UTC

CVE-2020-26296:

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. This is fixed in version 5.17.3


Fixed in 6.8.14 and 7.10.2. We already have the latter, so please bump the 6.8
branch.

Comment 1 Larry the Git Cow gentoo-dev

2021-03-30 07:25:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63746d241700941bdff2ee4a4279253ca4d3355a

commit 63746d241700941bdff2ee4a4279253ca4d3355a
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-03-25 15:09:54 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-30 07:25:19 +0000

    www-apps/kibana-bin: bump to 6.8.15
    
    Bug: https://bugs.gentoo.org/770151
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apps/kibana-bin/Manifest                 |  2 +
 www-apps/kibana-bin/kibana-bin-6.8.15.ebuild | 89 ++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+)

Comment 2 John Helmert III archtester

2021-03-30 13:06:59 UTC

All done, thanks!