Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1

To: Yadd <yadd@debian.org>, 998832@bugs.debian.org
Subject: Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 9 Nov 2021 08:25:20 +0100
Message-id: <[🔎] YYoiYMWFxsLSo3AB@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 998832@bugs.debian.org
In-reply-to: <[🔎] 163637082354.933741.16217072816453355037.reportbug@deb007.xnr.fr>
References: <[🔎] 163637082354.933741.16217072816453355037.reportbug@deb007.xnr.fr> <[🔎] 163637082354.933741.16217072816453355037.reportbug@deb007.xnr.fr>

Hi,

On Mon, Nov 08, 2021 at 12:27:03PM +0100, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: pkg-javascript-devel@lists-alith.debian.net
> 
> [ Reason ]
> Jquery-UI is the official jQuery user interface library. Prior to version
> 1.13.0, accepting the value of the `of` option of the `.position()` util
> from untrusted sources may execute untrusted code. The issue is fixed in
> jQuery UI 1.13.0. Any string value passed to the `of` option is now treated
> as a CSS selector. A workaround is to not accept the value of the `of`
> option from untrusted sources. (CVE-2021-41184)

AFAICS there are two more CVEs for jqueryui which wree fixed in 1.13.0
and so covered in unstable already. Can those be backported as well or
are they too intrusive?

Regards,
Salvatore

Reply to:

References:
- Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
  - From: Yadd <yadd@debian.org>

Prev by Date: Re: Bug#998676: RM: chromium/93.0.4577.82-1
Next by Date: Bug#998869: nmu: ocaml-http_0.1.6-1+b1
Previous by thread: Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
Next by thread: Bug#998192: release.debian.org: Transition for gsl-2.7 / libgsl26
Index(es):
- Date
- Thread