Your message dated Sat, 09 May 2020 11:53:52 +0100 with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk> and subject line Closing requests included in 10.4 point release has caused the Debian Bug report #954985, regarding buster-pu: package node-knockout/3.4.2-2+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 954985: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954985 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package node-knockout/3.4.2-2+deb10u1
- From: Xavier Guimard <yadd@debian.org>
- Date: Thu, 26 Mar 2020 11:21:26 +0100
- Message-id: <158521808665.1696944.12931317684663713763.reportbug@deb007.xnr.fr>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Hi, node-knockout is vunerable to CVE-2019-14862 (#943560): bad escaping for old MSIE browsers (MSIE ≤ 7). This little patche fixes this issue. Cheers, Xavierdiff --git a/debian/changelog b/debian/changelog index e35157d..078f2f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-knockout (3.4.2-2+deb10u1) buster; urgency=medium + + * Team upload + * Fix bad escaping for old MSIE (Closes: #943560, CVE-2019-14862) + + -- Xavier Guimard <yadd@debian.org> Thu, 26 Mar 2020 11:17:36 +0100 + node-knockout (3.4.2-2) unstable; urgency=medium * Mark package as Multi-Arch: foreign diff --git a/debian/patches/CVE-2019-14862.diff b/debian/patches/CVE-2019-14862.diff new file mode 100644 index 0000000..212b29e --- /dev/null +++ b/debian/patches/CVE-2019-14862.diff @@ -0,0 +1,45 @@ +Description: fix for CVE-2019-14862 +Author: Michael Best +Origin: upstream, https://github.com/knockout/knockout/pull/2345/files +Bug: https://github.com/knockout/knockout/issues/1244 +Bug-Debian: https://bugs.debian.org/943560 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <yadd@debian.org> +Last-Update: 2020-03-26 + +--- a/spec/defaultBindings/attrBehaviors.js ++++ b/spec/defaultBindings/attrBehaviors.js +@@ -26,6 +26,14 @@ + expect(testNode.childNodes[0].outerHTML).toNotMatch('name="?([^">]+)'); + } + expect(testNode.childNodes[0].getAttribute("name")).toEqual(""); ++ ++ // Check that special characters are handled appropriately ++ myValue("<A name with special &'\" chars>"); ++ expect(testNode.childNodes[0].name).toEqual("<A name with special &'\" chars>"); ++ if (testNode.childNodes[0].outerHTML) { // Old Firefox doesn't support outerHTML ++ expect(testNode.childNodes[0].outerHTML).toMatch('name="?(<|<)A name with special &\'" chars(>|>)"?'); ++ } ++ expect(testNode.childNodes[0].getAttribute("name")).toEqual("<A name with special &'\" chars>"); + }); + + it('Should respond to changes in an observable value', function() { +@@ -62,4 +70,4 @@ + expect(testNode.childNodes[0].className).toEqual(""); + expect(testNode.childNodes[0].getAttribute("class")).toEqual(null); + }); +-}); +\ No newline at end of file ++}); +--- a/src/utils.js ++++ b/src/utils.js +@@ -451,7 +451,8 @@ + // - http://www.matts411.com/post/setting_the_name_attribute_in_ie_dom/ + if (ieVersion <= 7) { + try { +- element.mergeAttributes(document.createElement("<input name='" + element.name + "'/>"), false); ++ var escapedName = element.name.replace(/[&<>'"]/g, function(r){ return "&#" + r.charCodeAt(0) + ";"; }); ++ element.mergeAttributes(document.createElement("<input name='" + escapedName + "'/>"), false); + } + catch(e) {} // For IE9 with doc mode "IE9 Standards" and browser mode "IE9 Compatibility View" + } diff --git a/debian/patches/series b/debian/patches/series index 0108572..6429144 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ gruntfile.patch +CVE-2019-14862.diff
--- End Message ---
--- Begin Message ---
- To: 932251-done@bugs.debian.org, 933839-done@bugs.debian.org, 939120-done@bugs.debian.org, 942520-done@bugs.debian.org, 943889-done@bugs.debian.org, 947102-done@bugs.debian.org, 947142-done@bugs.debian.org, 947172-done@bugs.debian.org, 947442-done@bugs.debian.org, 948333-done@bugs.debian.org, 948381-done@bugs.debian.org, 948786-done@bugs.debian.org, 948855-done@bugs.debian.org, 949113-done@bugs.debian.org, 949702-done@bugs.debian.org, 949890-done@bugs.debian.org, 949891-done@bugs.debian.org, 949897-done@bugs.debian.org, 949921-done@bugs.debian.org, 950104-done@bugs.debian.org, 950105-done@bugs.debian.org, 950478-done@bugs.debian.org, 950546-done@bugs.debian.org, 950547-done@bugs.debian.org, 950655-done@bugs.debian.org, 950765-done@bugs.debian.org, 950773-done@bugs.debian.org, 950795-done@bugs.debian.org, 950854-done@bugs.debian.org, 950918-done@bugs.debian.org, 951146-done@bugs.debian.org, 951399-done@bugs.debian.org, 951563-done@bugs.debian.org, 951761-done@bugs.debian.org, 951769-done@bugs.debian.org, 951871-done@bugs.debian.org, 952414-done@bugs.debian.org, 952441-done@bugs.debian.org, 952586-done@bugs.debian.org, 952785-done@bugs.debian.org, 953005-done@bugs.debian.org, 953124-done@bugs.debian.org, 953246-done@bugs.debian.org, 953647-done@bugs.debian.org, 953737-done@bugs.debian.org, 953797-done@bugs.debian.org, 954001-done@bugs.debian.org, 954073-done@bugs.debian.org, 954269-done@bugs.debian.org, 954398-done@bugs.debian.org, 954404-done@bugs.debian.org, 954714-done@bugs.debian.org, 954757-done@bugs.debian.org, 954835-done@bugs.debian.org, 954838-done@bugs.debian.org, 954862-done@bugs.debian.org, 954985-done@bugs.debian.org, 955395-done@bugs.debian.org, 955410-done@bugs.debian.org, 955508-done@bugs.debian.org, 955509-done@bugs.debian.org, 955510-done@bugs.debian.org, 955547-done@bugs.debian.org, 955860-done@bugs.debian.org, 956155-done@bugs.debian.org, 956216-done@bugs.debian.org, 956315-done@bugs.debian.org, 956533-done@bugs.debian.org, 956535-done@bugs.debian.org, 956536-done@bugs.debian.org, 956801-done@bugs.debian.org, 956861-done@bugs.debian.org, 956890-done@bugs.debian.org, 956913-done@bugs.debian.org, 956932-done@bugs.debian.org, 958053-done@bugs.debian.org, 958141-done@bugs.debian.org, 958173-done@bugs.debian.org, 958395-done@bugs.debian.org, 958399-done@bugs.debian.org, 958489-done@bugs.debian.org, 958490-done@bugs.debian.org, 958568-done@bugs.debian.org, 958714-done@bugs.debian.org, 958716-done@bugs.debian.org, 958814-done@bugs.debian.org, 958887-done@bugs.debian.org, 958916-done@bugs.debian.org, 958931-done@bugs.debian.org, 958969-done@bugs.debian.org, 958994-done@bugs.debian.org, 959081-done@bugs.debian.org, 959101-done@bugs.debian.org, 959224-done@bugs.debian.org, 959431-done@bugs.debian.org, 959489-done@bugs.debian.org, 948191-done@bugs.debian.org
- Subject: Closing requests included in 10.4 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 May 2020 11:53:52 +0100
- Message-id: <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.4 Hi, Each of the uploads referred to by these bugs was included in today's stable point release. Regards, Adam
--- End Message ---