Hi, On Mon, Nov 08, 2021 at 12:27:03PM +0100, Yadd wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: pkg-javascript-de...@lists-alith.debian.net > > [ Reason ] > Jquery-UI is the official jQuery user interface library. Prior to version > 1.13.0, accepting the value of the `of` option of the `.position()` util > from untrusted sources may execute untrusted code. The issue is fixed in > jQuery UI 1.13.0. Any string value passed to the `of` option is now treated > as a CSS selector. A workaround is to not accept the value of the `of` > option from untrusted sources. (CVE-2021-41184)
AFAICS there are two more CVEs for jqueryui which wree fixed in 1.13.0 and so covered in unstable already. Can those be backported as well or are they too intrusive? Regards, Salvatore
