Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: jquery-minicol...@packages.debian.org Control: affects -1 + src:jquery-minicolors
Please unblock package jquery-minicolors [ Reason ] jquery-minicolor is vulnerable to a cross-site scripting (CVE-2021-32850) [ Impact ] Low security issue [ Tests ] No test here [ Risks ] Low risk, patch is trivial [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock jquery-minicolors/2.3.5+dfsg-4
diff --git a/debian/changelog b/debian/changelog index 1e959f0..dcf5b2f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +jquery-minicolors (2.3.5+dfsg-4) unstable; urgency=medium + + * Team upload + * Declare compliance with policy 4.6.2 + * Fix cross-site scripting issue (Closes: CVE-2021-32850) + + -- Yadd <y...@debian.org> Wed, 31 May 2023 16:44:37 +0400 + jquery-minicolors (2.3.5+dfsg-3) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/control b/debian/control index 3dcf29b..66693e1 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian JavaScript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Uploaders: Yadd <y...@debian.org> Build-Depends: debhelper-compat (= 13), uglifyjs -Standards-Version: 4.6.0 +Standards-Version: 4.6.2 Homepage: https://github.com/jquery-minicolors Vcs-Git: https://salsa.debian.org/js-team/jquery-minicolors.git Vcs-Browser: https://salsa.debian.org/js-team/jquery-minicolors diff --git a/debian/patches/CVE-2021-32850.patch b/debian/patches/CVE-2021-32850.patch new file mode 100644 index 0000000..5e54e6d --- /dev/null +++ b/debian/patches/CVE-2021-32850.patch @@ -0,0 +1,21 @@ +Description: fix XSS vuln +Author: Cory LaViska <c...@abeautifulsite.net> +Origin: upstream, https://github.com/claviska/jquery-minicolors/commit/ef134824 +Bug: https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/ +Forwarded: not-needed +Applied-Upstream: 2.3.6, commit:ef134824 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-05-31 + +--- a/jquery.minicolors.js ++++ b/jquery.minicolors.js +@@ -226,7 +226,8 @@ + } + swatchString = swatch; + swatch = isRgb(swatch) ? parseRgb(swatch, true) : hex2rgb(parseHex(swatch, true)); +- $('<li class="minicolors-swatch minicolors-sprite"><span class="minicolors-swatch-color" title="' + name + '"></span></li>') ++ $('<li class="minicolors-swatch minicolors-sprite"><span class="minicolors-swatch-color"></span></li>') ++ .attr("title", name) + .appendTo(swatches) + .data('swatch-color', swatchString) + .find('.minicolors-swatch-color') diff --git a/debian/patches/series b/debian/patches/series index 7ba3ddc..b5c3525 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-Use-local-CSS-and-JavaScript-in-examples.patch +CVE-2021-32850.patch
