[SECURITY] [DLA 3230-1] jqueryui security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3230-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
December 07, 2022 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : jqueryui
Version : 1.12.1+dfsg-5+deb10u1
CVE ID : CVE-2021-41182 CVE-2021-41183 CVE-2021-41184
CVE-2022-31160
Debian Bug : 1015982
jQuery-UI, the official jQuery user interface library, is a curated set
of user interface interactions, effects, widgets, and themes built on top
of jQuery were reported to have the following vulnerabilities.
CVE-2021-41182
jQuery-UI was accepting the value of the `altField` option of the
Datepicker widget from untrusted sources may execute untrusted code.
This has been fixed and now any string value passed to the `altField`
option is now treated as a CSS selector.
CVE-2021-41183
jQuery-UI was accepting the value of various `*Text` options of the
Datepicker widget from untrusted sources may execute untrusted code.
This has been fixed and now the values passed to various `*Text`
options are now always treated as pure text, not HTML.
CVE-2021-41184
jQuery-UI was accepting the value of the `of` option of the
`.position()` util from untrusted sources may execute untrusted code.
This has been fixed and now any string value passed to the `of`
option is now treated as a CSS selector.
CVE-2022-31160
jQuery-UI was potentially vulnerable to cross-site scripting.
Initializing a checkboxradio widget on an input enclosed within a
label makes that parent label contents considered as the input label.
Calling `.checkboxradio( "refresh" )` on such a widget and the initial
HTML contained encoded HTML entities will make them erroneously get
decoded. This can lead to potentially executing JavaScript code.
For Debian 10 buster, these problems have been fixed in version
1.12.1+dfsg-5+deb10u1.
We recommend that you upgrade your jqueryui packages.
For the detailed security status of jqueryui please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jqueryui
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmOQawMACgkQgj6WdgbD
S5byUA/9GoNG8Z1MkPBh9le/Lc8MxuBh7Xs6U08OrBnmIQQOP9aLkRGe4aOUEfQe
kPgzs3gvn4dkcJkUKwxJZtSomb9d4GMPkG/++clDoi9bq9mcqqtsZcoH1MV5KjzY
58uf6MtIP9KGN0mFzVa0kKcmzUIDz0tCFYy12CIUK4/nruqs3U6pz2eKhRPFcJIk
ayilyH3npnjonvFyu/+gattYbtbOBQQ51/ckuA4RjKLMgXQ/zb4DkQj3L0KJlwiq
OgCPfC89rTYGSTJhXgFnUtiICm4jt3GsmhtTLmtfiiYSOqIQAcVoIKdL6RneIRL5
yfen+buGtdHlWoZz4mqJsCW2szt0bDI3zSOwytRSv0RK7y7gakP2BserSa1VPBmJ
H7gQ/HjvefPGiiyeihnnKrxF8IrACfEWBuP6qsR3sEjMQTqhLDWukxsJxviPakSx
X3pHgeYbn3kDstA8QtPAtEDagfm0oeFwyeKGZLgM8AKWP90MDcFOwjC66Llrqy6C
MLCyaOdwba4Ypecz/Y5mtI7NmSAr38jLHf3hi5NNQy51CC4Z5+ffdeVGfhXt312n
ZkflfW0JqRlkyu5uEifV4GpAjsm5uAaeHKU+owTYjvqOHvW3KrzpDcIy3Rpo9c2Y
7VvmySp1BoA9ESwPPSYpDRXC4PaHoibOGNi6hflZJnkNL+eqnMk=
=d0qm
-----END PGP SIGNATURE-----
Reply to: