[Git][security-tracker-team/security-tracker][master] Reserve DLA-4242-1 for angular.js

Sat Jul 19 23:23:04 BST 2025


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
46989cd1 by Bastien Roucariès at 2025-07-20T00:22:07+02:00
Reserve DLA-4242-1 for angular.js

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -96045,14 +96045,12 @@ CVE-2024-8373 (Improper sanitization of the value of the [srcset] attribute in <
 	- angular.js <unfixed> (bug #1088805)
 	[trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - angular.js <postponed> (Minor issue)
 	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-8373
 	NOTE: PoC: https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b
 CVE-2024-8372 (Improper sanitization of the value of the 'srcset' attribute in Angula ...)
 	- angular.js <unfixed> (bug #1088804)
 	[trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - angular.js <postponed> (Minor issue)
 	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-8372
 	NOTE: PoC: https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017
 CVE-2024-8042 (Rapid7 Insight Platform versions between November 2019 and August 14,  ...)
@@ -157964,7 +157962,6 @@ CVE-2024-21490 (This affects versions of the package angular from 1.3.0. A regul
 	- angular.js <unfixed> (bug #1088803)
 	[trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <postponed> (Fix along with the next DLA)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
 	NOTE: PoC: https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos
@@ -217329,7 +217326,6 @@ CVE-2023-26118 (Versions of the package angular from 1.4.9 are vulnerable to Reg
 	- angular.js <unfixed> (bug #1036694)
 	[trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046
 	NOTE: PoC: https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos
@@ -217337,7 +217333,6 @@ CVE-2023-26117 (Versions of the package angular from 1.0.0 are vulnerable to Reg
 	- angular.js <unfixed> (bug #1036694)
 	[trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045
 	NOTE: PoC: https://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos
@@ -217345,7 +217340,6 @@ CVE-2023-26116 (Versions of the package angular from 1.2.21 are vulnerable to Re
 	- angular.js <unfixed> (bug #1036694)
 	[trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044
 	NOTE: PoC: https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos
@@ -297776,7 +297770,6 @@ CVE-2022-25844 (The package angular after 1.7.0 are vulnerable to Regular Expres
 	- angular.js <unfixed> (bug #1014779)
 	[trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <not-affected> (vulnerable code not present)
 	[stretch] - angular.js <not-affected> (vulnerable code not present)
 	NOTE: https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[20 Jul 2025] DLA-4242-1 angular.js - security update
+	{CVE-2022-25844 CVE-2023-26116 CVE-2023-26117 CVE-2023-26118 CVE-2024-8372 CVE-2024-8373 CVE-2024-21490 CVE-2025-0716 CVE-2025-2336}
+	[bullseye] - angular.js 1.8.3-1+deb12u1~deb11u1
 [14 Jul 2025] DLA-4241-1 ffmpeg - security update
 	{CVE-2023-6601 CVE-2023-6602 CVE-2023-6604 CVE-2023-6605}
 	[bullseye] - ffmpeg 7:4.3.9-0+deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -34,12 +34,6 @@ adminer
 amd64-microcode
   NOTE: 20250710: Added by Front-Desk (apo)
 --
-angular.js (rouca)
-  NOTE: 20250507: Added by Front-Desk (Beuc)
-  NOTE: 20250507: Should we EOL this package? (Beuc/front-desk)
-  NOTE: 20250507: https://lists.debian.org/debian-lts/2025/05/msg00013.html
-  NOTE: 20250609: all CVEs fixed wait for crosscheck (rouca)
---
 ansible
   NOTE: 20240915: Added by Front-Desk (ta)
   NOTE: 20241103: Fixed sid, bookworm, and bullseye (rouca)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46989cd153d8569fa08028c9065c456b7ec94508

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46989cd153d8569fa08028c9065c456b7ec94508
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250719/2efb8a22/attachment-0001.htm>
