Your message dated Sat, 09 May 2020 11:53:52 +0100 with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk> and subject line Closing requests included in 10.4 point release has caused the Debian Bug report #952785, regarding buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 952785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952785 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1
- From: Xavier Guimard <yadd@debian.org>
- Date: Sat, 29 Feb 2020 09:10:51 +0100
- Message-id: <158296385177.614479.13738069338817750577.reportbug@deb007.xnr.fr>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Hi, dojo is vulnerable to Cross-site Scripting. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them. This upstream patch fixes this issue Cheers, Xavierdiff --git a/debian/changelog b/debian/changelog index 14447b52..0e5dc462 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +dojo (1.15.0+dfsg1-1+deb10u1) buster; urgency=medium + + * Team upload + * Cleanup improper regex usage (Closes: #952771, 2019, 10785) + + -- Xavier Guimard <yadd@debian.org> Sat, 29 Feb 2020 09:07:02 +0100 + dojo (1.15.0+dfsg1-1) unstable; urgency=medium * New upstream version : diff --git a/debian/patches/CVE-2019-10785.patch b/debian/patches/CVE-2019-10785.patch new file mode 100644 index 00000000..67ab40f2 --- /dev/null +++ b/debian/patches/CVE-2019-10785.patch @@ -0,0 +1,45 @@ +Description: Cleanup improper regex usage +Author: Paul <paul@sitepen.com> +Origin: upstream, https://github.com/dojo/dojox/pull/317 +Bug: https://github.com/dojo/dojox/pull/315 +Bug-Debian: https://bugs.debian.org/952771 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <yadd@debian.org> +Last-Update: 2020-02-29 + +--- a/dojox/dtl/dom.js ++++ b/dojox/dtl/dom.js +@@ -94,7 +94,7 @@ define([ + var replacement = ""; + for(var p = 2, pl = pair.length; p < pl; p++){ + if(p == 2){ +- replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace('"', '\\"') + ' %}">'; ++ replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace(/"/g, '\\"') + ' %}">'; + }else if(tag == pair[p]) { + continue; + }else{ +--- a/dojox/widget/RollingList.js ++++ b/dojox/widget/RollingList.js +@@ -1050,7 +1050,7 @@ dojo.declare("dojox.widget.RollingList", + widgetItem.store = this.store; + widgetItem.item = item; + if(!widgetItem.label){ +- widgetItem.attr("label", this.store.getLabel(item).replace(/</,"<")); ++ widgetItem.attr("label", this.store.getLabel(item).replace(/</g,"<")); + } + if(widgetItem.focusNode){ + var self = this; +--- a/dojox/xmpp/util.js ++++ b/dojox/xmpp/util.js +@@ -3,10 +3,7 @@ dojo.require("dojox.string.Builder"); + dojo.require("dojox.encoding.base64"); + + dojox.xmpp.util.xmlEncode = function(str) { +- if(str) { +- str = str.replace("&", "&").replace(">", ">").replace("<", "<").replace("'", "'").replace('"', """); +- } +- return str; ++ return dojo.string.escape(str); + }; + + dojox.xmpp.util.encodeJid = function(jid) { diff --git a/debian/patches/series b/debian/patches/series index f39e7f29..6051ed59 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 0001-Compatibility-patch-for-newer-rhino.patch 0002-Do-notrun-test-suite-in-build.patch 0003-Disable-flash-storage.patch +#CVE-2019-10785.patch
--- End Message ---
--- Begin Message ---
- To: 932251-done@bugs.debian.org, 933839-done@bugs.debian.org, 939120-done@bugs.debian.org, 942520-done@bugs.debian.org, 943889-done@bugs.debian.org, 947102-done@bugs.debian.org, 947142-done@bugs.debian.org, 947172-done@bugs.debian.org, 947442-done@bugs.debian.org, 948333-done@bugs.debian.org, 948381-done@bugs.debian.org, 948786-done@bugs.debian.org, 948855-done@bugs.debian.org, 949113-done@bugs.debian.org, 949702-done@bugs.debian.org, 949890-done@bugs.debian.org, 949891-done@bugs.debian.org, 949897-done@bugs.debian.org, 949921-done@bugs.debian.org, 950104-done@bugs.debian.org, 950105-done@bugs.debian.org, 950478-done@bugs.debian.org, 950546-done@bugs.debian.org, 950547-done@bugs.debian.org, 950655-done@bugs.debian.org, 950765-done@bugs.debian.org, 950773-done@bugs.debian.org, 950795-done@bugs.debian.org, 950854-done@bugs.debian.org, 950918-done@bugs.debian.org, 951146-done@bugs.debian.org, 951399-done@bugs.debian.org, 951563-done@bugs.debian.org, 951761-done@bugs.debian.org, 951769-done@bugs.debian.org, 951871-done@bugs.debian.org, 952414-done@bugs.debian.org, 952441-done@bugs.debian.org, 952586-done@bugs.debian.org, 952785-done@bugs.debian.org, 953005-done@bugs.debian.org, 953124-done@bugs.debian.org, 953246-done@bugs.debian.org, 953647-done@bugs.debian.org, 953737-done@bugs.debian.org, 953797-done@bugs.debian.org, 954001-done@bugs.debian.org, 954073-done@bugs.debian.org, 954269-done@bugs.debian.org, 954398-done@bugs.debian.org, 954404-done@bugs.debian.org, 954714-done@bugs.debian.org, 954757-done@bugs.debian.org, 954835-done@bugs.debian.org, 954838-done@bugs.debian.org, 954862-done@bugs.debian.org, 954985-done@bugs.debian.org, 955395-done@bugs.debian.org, 955410-done@bugs.debian.org, 955508-done@bugs.debian.org, 955509-done@bugs.debian.org, 955510-done@bugs.debian.org, 955547-done@bugs.debian.org, 955860-done@bugs.debian.org, 956155-done@bugs.debian.org, 956216-done@bugs.debian.org, 956315-done@bugs.debian.org, 956533-done@bugs.debian.org, 956535-done@bugs.debian.org, 956536-done@bugs.debian.org, 956801-done@bugs.debian.org, 956861-done@bugs.debian.org, 956890-done@bugs.debian.org, 956913-done@bugs.debian.org, 956932-done@bugs.debian.org, 958053-done@bugs.debian.org, 958141-done@bugs.debian.org, 958173-done@bugs.debian.org, 958395-done@bugs.debian.org, 958399-done@bugs.debian.org, 958489-done@bugs.debian.org, 958490-done@bugs.debian.org, 958568-done@bugs.debian.org, 958714-done@bugs.debian.org, 958716-done@bugs.debian.org, 958814-done@bugs.debian.org, 958887-done@bugs.debian.org, 958916-done@bugs.debian.org, 958931-done@bugs.debian.org, 958969-done@bugs.debian.org, 958994-done@bugs.debian.org, 959081-done@bugs.debian.org, 959101-done@bugs.debian.org, 959224-done@bugs.debian.org, 959431-done@bugs.debian.org, 959489-done@bugs.debian.org, 948191-done@bugs.debian.org
- Subject: Closing requests included in 10.4 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 May 2020 11:53:52 +0100
- Message-id: <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.4 Hi, Each of the uploads referred to by these bugs was included in today's stable point release. Regards, Adam
--- End Message ---