Debian Bug report logs -
#1036694
angular.js: CVE-2022-25869 CVE-2023-26116 CVE-2023-26117 CVE-2023-26118
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#1036694; Package src:angular.js.
(Wed, 24 May 2023 12:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Wed, 24 May 2023 12:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: angular.js
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for angular.js.
CVE-2022-25869[0]:
| All versions of package angular are vulnerable to Cross-site Scripting
| (XSS) due to insecure page caching in the Internet Explorer browser,
| which allows interpolation of <textarea> elements.
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781
CVE-2023-26116[1]:
| Versions of the package angular from 1.2.21 are vulnerable to Regular
| Expression Denial of Service (ReDoS) via the angular.copy() utility
| function due to the usage of an insecure regular expression.
| Exploiting this vulnerability is possible by a large carefully-crafted
| input, which can result in catastrophic backtracking.
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044
CVE-2023-26117[2]:
| Versions of the package angular from 1.0.0 are vulnerable to Regular
| Expression Denial of Service (ReDoS) via the $resource service due to
| the usage of an insecure regular expression. Exploiting this
| vulnerability is possible by a large carefully-crafted input, which
| can result in catastrophic backtracking.
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045
CVE-2023-26118[3]:
| Versions of the package angular from 1.4.9 are vulnerable to Regular
| Expression Denial of Service (ReDoS) via the <input type="url">
| element due to the usage of an insecure regular expression in the
| input[url] functionality. Exploiting this vulnerability is possible by
| a large carefully-crafted input, which can result in catastrophic
| backtracking.
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-25869
https://www.cve.org/CVERecord?id=CVE-2022-25869
[1] https://security-tracker.debian.org/tracker/CVE-2023-26116
https://www.cve.org/CVERecord?id=CVE-2023-26116
[2] https://security-tracker.debian.org/tracker/CVE-2023-26117
https://www.cve.org/CVERecord?id=CVE-2023-26117
[3] https://security-tracker.debian.org/tracker/CVE-2023-26118
https://www.cve.org/CVERecord?id=CVE-2023-26118
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 24 May 2023 14:06:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu May 25 13:13:09 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon