Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Dear Release Team,
[ Reason ]
I would like to fix CVE-2020-11022 and CVE-2020-11023. The same fix has
been prepared for stretch and will be uploaded concurrently with the
buster fix. The security team has marked these issues as no-dsa.
[ Impact ]
jquery would be vulnerable if not approved.
[ Tests ]
Backported patch was reviewed and approved by the Debian package
maintainers. Sadly, no reproducers were released.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them, along with the
maintainers of jquery
[x] attach debdiff against the package in (old)stable
[N/A] the issue is verified as fixed in unstable (jquery is not
present in unstable/testing)
Regards,
- -Roberto
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmBH//4ACgkQldFmTdL1
kULu7w/+KzQq0SMV/rDPj/BUs+wyoeqGfvLiMhOcA019wDblB17wW2x/4kWQWCMa
75tXD7kep+6b1lLNBPj75fcC9xHNiV9XTGgAwViHOBQ85bxfbc1Zi0YEnXfrgjeG
vi1xtHeLUNgDrCG/+UQP8qJn7+asURfism9v1WhmH93jd8+J9AleHOvUR0WjUVz2
tKIHXPBNQ0yDbJO34HXzvXio7IvJxXlNZ+ivK0AlUQVwam1LThy+tCk4hob8NXQg
JGvomGG/GDbMnQ/yNMc3IRHVDas0nLbmaa026kcHE05pQjhdPYOYckL/Jl5MW84s
5L+foc1dfAi7A4a3Bo898FDkaJqD41VCAgKjUbjD0aBc38D310ksqGlep3scOqn0
uX5GUCWcvTg05OHCKGrd28YyYckUDDRaL1Ln0MtSfYGQGgG3DyXqAGpAPCxA6PeW
gGMuBDy3t68kkCQoAqYzqkpn/oTS+3T6LWm35/c2X5FJAChM9gsDAaJ3IaofX84x
pzPu6VX7O3cPLMaV7cBKj4Ix85iBdKNHKRZlbruiCxRtzWgiMyyDLhsaj4Fbp989
hWddYqdb6Wj01CCAoDkHvsfg6GuSd/WGiEt1MCP0EqDUQ6WRJjmugELCThYj7c3U
PXxNmveHtehpN7+5MG1lNlLJ8hLydLS5CfphwwCrsOF2+MfRzRk=
=WoIV
-END PGP SIGNATURE-
diff -Nru jquery-3.3.1~dfsg/debian/changelog jquery-3.3.1~dfsg/debian/changelog
--- jquery-3.3.1~dfsg/debian/changelog 2019-04-19 02:52:35.0 -0400
+++ jquery-3.3.1~dfsg/debian/changelog 2021-03-09 14:42:16.0 -0500
@@ -1,3 +1,13 @@
+jquery (3.3.1~dfsg-3+deb10u1) buster; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Prevent untrusted code execution when passing untrusted HTML to DOM
+manipulation methods. (CVE-2020-11022)
+ * Prevent untrusted code execution when passing HTML containing
+elements to DOM manipulation methods. (CVE-2020-11023)
+
+ -- Roberto C. Sánchez Tue, 09 Mar 2021 14:42:16 -0500
+
jquery (3.3.1~dfsg-3) unstable; urgency=medium
* Team upload
diff -Nru jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch
jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch
--- jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch 1969-12-31
19:00:00.0 -0500
+++ jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch 2021-03-09
14:42:16.0 -0500
@@ -0,0 +1,1749 @@
+From 1d61fd9407e6fbe82fe55cb0b938307aa0791f77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Go=C5=82=C4=99biowski-Owczarek?=
+
+Date: Mon, 16 Mar 2020 21:49:29 +0100
+Subject: [PATCH] Manipulation: Make jQuery.htmlPrefilter an identity function
+
+Closes gh-4642
+
+(cherry picked from 90fed4b453a5becdb7f173d9e3c1492390a1441f)
+---
+ src/manipulation.js | 9 +--
+ test/data/testinit.js | 2 +-
+ test/localfile.html | 2 +-
+ test/unit/ajax.js | 8 +--
+ test/unit/attributes.js | 46 ++---
+ test/unit/basic.js| 24 +++
+ test/unit/core.js | 14 ++--
+ test/unit/css.js | 112 +++
+ test/unit/data.js | 20 +++---
+ test/unit/deprecated.js | 2 +-
+ test/unit/dimensions.js | 30 -
+ test/unit/effects.js | 22 +++---
+ test/unit/event.js| 26 +++
+ test/unit/manipulation.js | 138 ++
+ test/unit/offset.js | 10 +--
+ test/unit/selector.js | 4 +-
+ test/unit/traversing.js | 22 +++---
+ test/unit/wrap.js | 12 ++--
+ 18 files changed, 246 insertions(+), 257 deletions(-)
+
+--- a/src/manipulation.js
b/src/manipulation.js
+@@ -32,13 +32,6 @@
+
+ var
+
+- /* eslint-disable max-len */
+-
+- // See https://github.com/eslint/eslint/issues/3229
+- rxhtmlTag =
/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi,
+-
+- /* eslint-enable */
+-
+ // Support: IE <=10 - 11, Edge 12 - 13 only
+ // In IE/Edge using regex groups here causes severe slowdowns.
+ // See https://connect.microsoft.com/IE/feedback/details/1736512/
+@@ -235,7 +228,7 @@
+
+ jQuery.extend( {
+ htmlPrefilter: function( html ) {
+- return html.replace( rxhtmlTag, "<$1>" );
++ return html;
+ },
+
+ clone: function( elem, dataAndEvents, deepDataAndEvents ) {
+--- a/test/data/testinit.js
b/test/data/testinit.js
+@@ -244,7 +244,7 @@
+ }
+ wrapper.call( QUnit, title, function( assert ) {
+ var done = assert.async(),
+-