Your message dated Thu, 1 Jun 2023 13:40:05 +0200 with message-id <05c08645-1937-1a45-208e-a770077735df@debian.org> and subject line Re: Bug#1036980: unblock: jquery-minicolors/2.3.5+dfsg-4 has caused the Debian Bug report #1036980, regarding unblock: jquery-minicolors/2.3.5+dfsg-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1036980: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036980 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: jquery-minicolors/2.3.5+dfsg-4
- From: Yadd <yadd@debian.org>
- Date: Wed, 31 May 2023 16:49:37 +0400
- Message-id: <168553737795.448951.11534622664765877915.reportbug@debian117>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: jquery-minicolors@packages.debian.org Control: affects -1 + src:jquery-minicolors Please unblock package jquery-minicolors [ Reason ] jquery-minicolor is vulnerable to a cross-site scripting (CVE-2021-32850) [ Impact ] Low security issue [ Tests ] No test here [ Risks ] Low risk, patch is trivial [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock jquery-minicolors/2.3.5+dfsg-4diff --git a/debian/changelog b/debian/changelog index 1e959f0..dcf5b2f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +jquery-minicolors (2.3.5+dfsg-4) unstable; urgency=medium + + * Team upload + * Declare compliance with policy 4.6.2 + * Fix cross-site scripting issue (Closes: CVE-2021-32850) + + -- Yadd <yadd@debian.org> Wed, 31 May 2023 16:44:37 +0400 + jquery-minicolors (2.3.5+dfsg-3) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/control b/debian/control index 3dcf29b..66693e1 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian JavaScript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Uploaders: Yadd <yadd@debian.org> Build-Depends: debhelper-compat (= 13), uglifyjs -Standards-Version: 4.6.0 +Standards-Version: 4.6.2 Homepage: https://github.com/jquery-minicolors Vcs-Git: https://salsa.debian.org/js-team/jquery-minicolors.git Vcs-Browser: https://salsa.debian.org/js-team/jquery-minicolors diff --git a/debian/patches/CVE-2021-32850.patch b/debian/patches/CVE-2021-32850.patch new file mode 100644 index 0000000..5e54e6d --- /dev/null +++ b/debian/patches/CVE-2021-32850.patch @@ -0,0 +1,21 @@ +Description: fix XSS vuln +Author: Cory LaViska <cory@abeautifulsite.net> +Origin: upstream, https://github.com/claviska/jquery-minicolors/commit/ef134824 +Bug: https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/ +Forwarded: not-needed +Applied-Upstream: 2.3.6, commit:ef134824 +Reviewed-By: Yadd <yadd@debian.org> +Last-Update: 2023-05-31 + +--- a/jquery.minicolors.js ++++ b/jquery.minicolors.js +@@ -226,7 +226,8 @@ + } + swatchString = swatch; + swatch = isRgb(swatch) ? parseRgb(swatch, true) : hex2rgb(parseHex(swatch, true)); +- $('<li class="minicolors-swatch minicolors-sprite"><span class="minicolors-swatch-color" title="' + name + '"></span></li>') ++ $('<li class="minicolors-swatch minicolors-sprite"><span class="minicolors-swatch-color"></span></li>') ++ .attr("title", name) + .appendTo(swatches) + .data('swatch-color', swatchString) + .find('.minicolors-swatch-color') diff --git a/debian/patches/series b/debian/patches/series index 7ba3ddc..b5c3525 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-Use-local-CSS-and-JavaScript-in-examples.patch +CVE-2021-32850.patch
--- End Message ---
--- Begin Message ---
- To: Yadd <yadd@debian.org>, 1036980-done@bugs.debian.org
- Subject: Re: Bug#1036980: unblock: jquery-minicolors/2.3.5+dfsg-4
- From: Paul Gevers <elbrus@debian.org>
- Date: Thu, 1 Jun 2023 13:40:05 +0200
- Message-id: <05c08645-1937-1a45-208e-a770077735df@debian.org>
- In-reply-to: <168553737795.448951.11534622664765877915.reportbug@debian117>
- References: <168553737795.448951.11534622664765877915.reportbug@debian117>
Hi, On 31-05-2023 14:49, Yadd wrote:unblock jquery-minicolors/2.3.5+dfsg-4unblocked and aged. PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---