[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1

Control: tags -1 + moreinfo

On Tue, 2021-11-09 at 08:25 +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Mon, Nov 08, 2021 at 12:27:03PM +0100, Yadd wrote:
[...]
> > Jquery-UI is the official jQuery user interface library. Prior to
> > version
> > 1.13.0, accepting the value of the `of` option of the `.position()`
> > util
> > from untrusted sources may execute untrusted code. The issue is
> > fixed in
> > jQuery UI 1.13.0. Any string value passed to the `of` option is now
> > treated
> > as a CSS selector. A workaround is to not accept the value of the
> > `of`
> > option from untrusted sources. (CVE-2021-41184)
> 
> AFAICS there are two more CVEs for jqueryui which wree fixed in
> 1.13.0
> and so covered in unstable already. Can those be backported as well
> or
> are they too intrusive?
> 

Quick ping on this.

Regards,

Adam
Reply to: