Your message dated Thu, 28 Jul 2022 06:50:07 +0000 with message-id <e1ogxlt-000h98...@fasolo.debian.org> and subject line Bug#1015982: fixed in jqueryui 1.13.2+dfsg-1 has caused the Debian Bug report #1015982, regarding jqueryui: CVE-2022-31160 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1015982: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015982 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jqueryui X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for jqueryui. CVE-2022-31160[0]: | jQuery UI is a curated set of user interface interactions, effects, | widgets, and themes built on top of jQuery. Versions prior to 1.13.2 | are potentially vulnerable to cross-site scripting. Initializing a | checkboxradio widget on an input enclosed within a label makes that | parent label contents considered as the input label. Calling | `.checkboxradio( "refresh" )` on such a widget and the initial HTML | contained encoded HTML entities will make them erroneously get | decoded. This can lead to potentially executing JavaScript code. The | bug has been patched in jQuery UI 1.13.2. To remediate the issue, | someone who can change the initial HTML can wrap all the non-input | contents of the `label` in a `span`. https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31160 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: jqueryui Source-Version: 1.13.2+dfsg-1 Done: Paul Gevers <elb...@debian.org> We believe that the bug you reported is fixed in the latest version of jqueryui, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1015...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paul Gevers <elb...@debian.org> (supplier of updated jqueryui package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 28 Jul 2022 08:05:07 +0200 Source: jqueryui Architecture: source Version: 1.13.2+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Paul Gevers <elb...@debian.org> Closes: 1015982 Changes: jqueryui (1.13.2+dfsg-1) unstable; urgency=medium . * New upstream version 1.13.2+dfsg - Fixes CVE-2022-31160 (Closes: #1015982) Checksums-Sha1: f8b2e6c654796b9f6643e1fc193ab2f60c3763f6 1982 jqueryui_1.13.2+dfsg-1.dsc 961acb0a7ad68eb0495e7a84b2c0567a2d9d8768 608604 jqueryui_1.13.2+dfsg.orig.tar.xz 2e317328cbaf30be9c3b0bcd536cc20f0bb3d53f 128968 jqueryui_1.13.2+dfsg-1.debian.tar.xz Checksums-Sha256: 6c768bb341ac37323f94c38d1cc8e8574660337308a2e60f33156327c1743906 1982 jqueryui_1.13.2+dfsg-1.dsc b5812410ee96f1cec3c1efc9f65c40454004321783c3778244e7a619d24a1d03 608604 jqueryui_1.13.2+dfsg.orig.tar.xz 31f8a378589624e71f4c2071d627a2a44bbca103c8ea76f8101aaf8ccee7f8a3 128968 jqueryui_1.13.2+dfsg-1.debian.tar.xz Files: 5be77f6631ad7e8cbb993e25e713c929 1982 javascript optional jqueryui_1.13.2+dfsg-1.dsc eb8045be334d6bfb4afbac81604ea7e0 608604 javascript optional jqueryui_1.13.2+dfsg.orig.tar.xz f7378c4967293b3ac88462963d020b46 128968 javascript optional jqueryui_1.13.2+dfsg-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmLiJzQACgkQnFyZ6wW9 dQpWfwf+OkrDj6YPqWzwvmge1f7mz+ods6ymUKIHXa2XOcvnW7l69Gt7r7vjNNBX nvfUv4NzwncuRj9BXHQfQTznxqaKWWwzww1qRWBYiLHH+k87lwcwj1MLi09aXu8K zU3TYl9CADn2LlMQ5DkRqPb2h7Y3A+pIfUHcBKWA4FJ00jJFY/ikeStdniznnIPa QMxFPf8h0CLOej1pxZjvMW3Rico7BELckbWIOMP8HSEgD/6/LTCq8iNsV+0dvi+s hjHwiqZDuBuAxRjC39xe0w3LStWO/7JdGSm+MrDHg/0jlY2I7rcAufa659qgYK/s 85m8UqUQ1+WONhn1lg8HQJSy8B+/9g== =6EZ7 -----END PGP SIGNATURE-----
--- End Message ---
