Drop support of IE8 and browser before 2015 in order to close CVEs ?

To: debian-lts@lists.debian.org, Sylvain Beucler <beuc@beuc.net>
Subject: Drop support of IE8 and browser before 2015 in order to close CVEs ?
From: Bastien Roucaries <rouca@debian.org>
Date: Fri, 30 May 2025 17:06:57 +0200
Message-id: <[🔎] 2918142.88bMQJbFj6@debian-ei>

Hi,

The simpler stuff to close CVE-2025-1647 is to drop IE8 support (that do not support CreateHTMLDocument) and use directly and incontionnaly CreateHTMLDocument

ANother possibility is to test if class if DOMImplementation type

Injection is here:
https://sources.debian.org/src/twitter-bootstrap3/3.4.1%2Bdfsg-4/js/tooltip.js/#L111

Beuc what is your point of view ?

rouca

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Debian LTS and ELTS report for May 2025
Next by Date: Debian LTS & ELTS -- May 2025
Previous by thread: Debian LTS and ELTS report for May 2025
Next by thread: Debian LTS & ELTS -- May 2025
Index(es):
- Date
- Thread