Your message dated Sat, 27 Apr 2019 11:14:32 +0100 with message-id <1556360072.2690.35.camel@adam-barratt.org.uk> and subject line Closing bugs for updates included in 9.9 has caused the Debian Bug report #927422, regarding stretch-pu: package jquery/3.1.1-2+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 927422: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927422 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package jquery/3.1.1-2+deb9u1
- From: Xavier Guimard <yadd@debian.org>
- Date: Fri, 19 Apr 2019 15:01:16 +0200
- Message-id: <[🔎] 155567887662.11243.1899861581686399753.reportbug@mac-debian.lemonldap-ng.org>
Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu Hi all, I fixed https://snyk.io/vuln/SNYK-JS-JQUERY-174006 vulnerability for Buster. Here is the fix for Stretch. It just avoid Object.prototype pollution without chnaging behavior. Could you insert it in next stretch update ? Cheers, Xavier -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (600, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enableddiff --git a/debian/changelog b/debian/changelog index b6049732..2f6fc66f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +jquery (3.1.1-2+deb9u1) stretch; urgency=high + + * Team upload + * Add patch to prevent Object.prototype pollution (Closes: #927385) + * Disable check-against-upstream-build test (autopkgtest) since file is now + patched + + -- Xavier Guimard <yadd@debian.org> Thu, 18 Apr 2019 22:57:29 +0200 + jquery (3.1.1-2) unstable; urgency=medium * debian/rules: adapt path to r.js after a change in nodejs-requirejs diff --git a/debian/patches/SNYK-JS-JQUERY-174006.diff b/debian/patches/SNYK-JS-JQUERY-174006.diff new file mode 100644 index 00000000..a4f80b6a --- /dev/null +++ b/debian/patches/SNYK-JS-JQUERY-174006.diff @@ -0,0 +1,21 @@ +Description: Prevent Object.prototype pollution for $.extend( true, ... ) +Author: Xavier Guimard <yadd@debian.org> +Origin: upstream, https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b +Bug: https://github.com/jquery/jquery/pull/4333 +Bug-Debian: https://bugs.debian.org/927385 +Forwarded: not-needed +Last-Update: 2019-04-18 + +--- a/src/core.js ++++ b/src/core.js +@@ -165,8 +165,9 @@ + src = target[ name ]; + copy = options[ name ]; + ++ // Prevent Object.prototype pollution + // Prevent never-ending loop +- if ( target === copy ) { ++ if ( name === "__proto__" || target === copy ) { + continue; + } + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..1fc60af1 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +SNYK-JS-JQUERY-174006.diff diff --git a/debian/tests/control b/debian/tests/control index 263ff2f0..08e26681 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -1,2 +1,2 @@ -Tests: check-against-upstream-build, check-minification +Tests: check-minification Depends: @, wget, ca-certificates
--- End Message ---
--- Begin Message ---
- To: 890889-done@bugs.debian.org, 892070-done@bugs.debian.org, 910805-done@bugs.debian.org, 914187-done@bugs.debian.org, 914591-done@bugs.debian.org, 919043-done@bugs.debian.org, 919576-done@bugs.debian.org, 921748-done@bugs.debian.org, 921977-done@bugs.debian.org, 921983-done@bugs.debian.org, 922918-done@bugs.debian.org, 922987-done@bugs.debian.org, 922996-done@bugs.debian.org, 923202-done@bugs.debian.org, 923323-done@bugs.debian.org, 923342-done@bugs.debian.org, 923556-done@bugs.debian.org, 923897-done@bugs.debian.org, 924145-done@bugs.debian.org, 924150-done@bugs.debian.org, 924255-done@bugs.debian.org, 924261-done@bugs.debian.org, 924282-done@bugs.debian.org, 924377-done@bugs.debian.org, 924433-done@bugs.debian.org, 924463-done@bugs.debian.org, 924493-done@bugs.debian.org, 924642-done@bugs.debian.org, 924939-done@bugs.debian.org, 924945-done@bugs.debian.org, 925154-done@bugs.debian.org, 925161-done@bugs.debian.org, 925214-done@bugs.debian.org, 925228-done@bugs.debian.org, 925351-done@bugs.debian.org, 925401-done@bugs.debian.org, 925482-done@bugs.debian.org, 925506-done@bugs.debian.org, 925548-done@bugs.debian.org, 925569-done@bugs.debian.org, 926003-done@bugs.debian.org, 926050-done@bugs.debian.org, 926136-done@bugs.debian.org, 926190-done@bugs.debian.org, 926199-done@bugs.debian.org, 926397-done@bugs.debian.org, 926438-done@bugs.debian.org, 926506-done@bugs.debian.org, 926739-done@bugs.debian.org, 926870-done@bugs.debian.org, 926892-done@bugs.debian.org, 926894-done@bugs.debian.org, 926897-done@bugs.debian.org, 927067-done@bugs.debian.org, 927068-done@bugs.debian.org, 927072-done@bugs.debian.org, 927160-done@bugs.debian.org, 927191-done@bugs.debian.org, 927223-done@bugs.debian.org, 927378-done@bugs.debian.org, 927422-done@bugs.debian.org, 927424-done@bugs.debian.org, 922484-done@bugs.debian.org
- Subject: Closing bugs for updates included in 9.9
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 27 Apr 2019 11:14:32 +0100
- Message-id: <1556360072.2690.35.camel@adam-barratt.org.uk>
Version: 9.9 Hi, The update referenced by each of these bugs was included in this morning's stretch point release. Regards, Adam
--- End Message ---