--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-jquery
Hi all,
node-jquery is vulnerable to prototype pollution (same than #927385 for
jQuery, already unblocked). I added the same patch and changed also:
* Add upstream/metadata
* Add homepage
* Upgrade links to https
* Fix prototype pollution vulnerability (Closes: #927466, CVE-2019-11358)
* Add patch to make the build reproducible. Thanks to Chris Lamb
(Closes: #886001)
Reverse dependencies:
- node-jquery-ujs (no reverse deps)
- node-jquery-textcomplete (no reverse deps)
- rainloop (build dependency, no reverse deps)
Changes on installed files are just:
diff -aburN /usr/lib/nodejs/jquery/dist.old/jquery.js /usr/lib/nodejs/jquery/dist/jquery.js
--- /usr/lib/nodejs/jquery/dist.old/jquery.js 2018-06-20 16:22:11.000000000 +0200
+++ /usr/lib/nodejs/jquery/dist/jquery.js 2019-04-23 18:12:00.000000000 +0200
@@ -8,8 +8,6 @@
* Copyright jQuery Foundation and other contributors
* Released under the MIT license
* http://jquery.org/license
- *
- * Date: 2018-06-20T15:30Z
*/
(function( global, factory ) {
@@ -210,7 +208,7 @@
copy = options[ name ];
// Prevent never-ending loop
- if ( target === copy ) {
+ if ( name === "__proto__" || target === copy ) {
continue;
}
and of course minified/map files. So I think it is low risky to upgrade
node-jquery in Buster.
Cheers,
Xavier
unblock node-jquery/2.2.4+dfsg-4
diff --git a/debian/changelog b/debian/changelog
index aedbd29..e4608fc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+node-jquery (2.2.4+dfsg-4) unstable; urgency=medium
+
+ * Team upload
+ * Add upstream/metadata
+ * Add homepage
+ * Upgrade links to https
+ * Fix prototype pollution vulnerability (Closes: #927466, CVE-2019-11358)
+ * Add patch to make the build reproducible. Thanks to Chris Lamb
+ (Closes: #886001)
+
+ -- Xavier Guimard <yadd@debian.org> Tue, 23 Apr 2019 18:12:00 +0200
+
node-jquery (2.2.4+dfsg-3) unstable; urgency=medium
* Bump Standards-Version to 4.1.4 (no changes needed)
diff --git a/debian/control b/debian/control
index f7fa83b..0954117 100644
--- a/debian/control
+++ b/debian/control
@@ -17,6 +17,7 @@ Build-Depends: debhelper (>= 11~),
Standards-Version: 4.1.4
Vcs-Git: https://salsa.debian.org/js-team/node-jquery.git
Vcs-Browser: https://salsa.debian.org/js-team/node-jquery
+Homepage: https://jquery.com/
Package: node-jquery
Architecture: all
diff --git a/debian/copyright b/debian/copyright
index 6d8eb44..8ea8dce 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,14 +1,14 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: jquery
Upstream-Contact: https://github.com/jquery/jquery/issues
-Source: http://github.com/jquery/jquery
+Source: https://github.com/jquery/jquery
Files-Excluded: dist external
Files: *
Copyright: © 2011, John Resig
© 2011, The Dojo Foundation
License: GPL-2+ or MIT
-Comment: includes Sizzle.js <http://sizzlejs.com/>, which is
+Comment: includes Sizzle.js <https://sizzlejs.com/>, which is
© 2011, The Dojo Foundation, and is released under three licenses:
GPL-2+, MIT or BSD. I'm including only the first two, since it
complies with the rest of node-jquery code.
@@ -29,7 +29,7 @@ License: GPL-2+
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>
+ along with this program. If not, see <https://www.gnu.org/licenses/>
.
On Debian systems, the complete text of the GNU General
Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
diff --git a/debian/patches/CVE-2019-11358.diff b/debian/patches/CVE-2019-11358.diff
new file mode 100644
index 0000000..9188a95
--- /dev/null
+++ b/debian/patches/CVE-2019-11358.diff
@@ -0,0 +1,20 @@
+Description: Fix prototype Pollution vulnerability
+Author: Michał Gołębiowski-Owczarek <https://github.com/mgol>
+Origin: upstream, https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
+Bug: https://github.com/jquery/jquery/pull/4333
+Bug-Debian: https://bugs.debian.org/927385
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-04-23
+
+--- a/src/core.js
++++ b/src/core.js
+@@ -157,7 +157,7 @@
+ copy = options[ name ];
+
+ // Prevent never-ending loop
+- if ( target === copy ) {
++ if ( name === "__proto__" || target === copy ) {
+ continue;
+ }
+
diff --git a/debian/patches/reproducible-build.patch b/debian/patches/reproducible-build.patch
new file mode 100644
index 0000000..1994886
--- /dev/null
+++ b/debian/patches/reproducible-build.patch
@@ -0,0 +1,15 @@
+Description: Make the build reproducible
+Author: Chris Lamb <lamby@debian.org>
+Last-Update: 2018-01-01
+
+--- a/src/intro.js
++++ b/src/intro.js
+@@ -8,8 +8,6 @@
+ * Copyright jQuery Foundation and other contributors
+ * Released under the MIT license
+ * http://jquery.org/license
+- *
+- * Date: @DATE
+ */
+
+ (function( global, factory ) {
diff --git a/debian/patches/series b/debian/patches/series
index 4b2d73e..bdd8c35 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
skip-modules.patch
skip-gzip-js.patch
+CVE-2019-11358.diff
+reproducible-build.patch
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..a65a92c
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/jquery/jquery/issues
+Contact: https://github.com/jquery/jquery/issues
+Name: jquery
+Repository: https://github.com/jquery/jquery.git
+Repository-Browse: https://github.com/jquery/jquery
--- End Message ---
--- Begin Message ---
Xavier Guimard:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please unblock package node-jquery
>
> Hi all,
>
> node-jquery is vulnerable to prototype pollution (same than #927385 for
> jQuery, already unblocked). I added the same patch and changed also:
> * Add upstream/metadata
> * Add homepage
> * Upgrade links to https
> * Fix prototype pollution vulnerability (Closes: #927466, CVE-2019-11358)
> * Add patch to make the build reproducible. Thanks to Chris Lamb
> (Closes: #886001)
>
> [...]
>
> Cheers,
> Xavier
>
> unblock node-jquery/2.2.4+dfsg-4
>
Unblocked, thanks.
~Niels
--- End Message ---