CVE-2020-26296: Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. This is fixed in version 5.17.3 Fixed in 6.8.14 and 7.10.2. We already have the latter, so please bump the 6.8 branch.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63746d241700941bdff2ee4a4279253ca4d3355a commit 63746d241700941bdff2ee4a4279253ca4d3355a Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2021-03-25 15:09:54 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-03-30 07:25:19 +0000 www-apps/kibana-bin: bump to 6.8.15 Bug: https://bugs.gentoo.org/770151 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-apps/kibana-bin/Manifest | 2 + www-apps/kibana-bin/kibana-bin-6.8.15.ebuild | 89 ++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+)
All done, thanks!
