[Git][security-tracker-team/security-tracker][master] Revert semi-automatic embedded jqueryui/angular.js CVE attribution

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Fri May 9 09:10:23 BST 2025 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7e5484f0 by Sylvain Beucler at 2025-05-09T10:10:10+02:00
Revert semi-automatic embedded jqueryui/angular.js CVE attribution

(Keep data/embedded-code-copies changes.)

As discussed on IRC, such CVE attribution needs:
- coordination with Debian security and package teams
- impact assessment to avoid non-issues

Reverting Bastien's work myself because of the noise this generates on
my Front-Desk/triage work, and because it's still not done 2 days
after being asked, but I have otherwise nothing to do with this
initiative.

Revert "openshot-qt add embed jquery-ui.js"

This reverts commit 85238dc6385f5608175229792ab14c9b7e1893e5.

Revert "Add embded angular.js in openshot-qt"

This reverts commit 6ed72542de445bf31e1ca223a275d6f50f5fd9c2.

Revert "Duplicate CVEs from angular.js to civicrm"

This reverts commit c264d42b0464fb9f927eb502e7272be2e3bb6f76.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3870,8 +3870,6 @@ CVE-2025-1194 (A Regular Expression Denial of Service (ReDoS) vulnerability was
 	NOT-FOR-US: huggingface/transformers
 CVE-2025-0716 (Improper sanitization of the value of the 'href' and 'xlink:href' attr ...)
 	- angular.js <unfixed> (bug #1104485)
-	- civicrm <unfixed>
-	- openshot-qt <unfixed>
 CVE-2025-0520 (An unrestricted file upload vulnerability in ShowDoc caused by imprope ...)
 	NOT-FOR-US: ShowDoc
 CVE-2024-57698 (An issue in modernwms v.1.0 allows an attacker view the MD5 hash of th ...)
@@ -74112,16 +74110,12 @@ CVE-2024-8373 (Improper sanitization of the value of the [srcset] attribute in <
 	[trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - angular.js <postponed> (Minor issue)
-	- civicrm <unfixed>
-	- openshot-qt <unfixed>
 	NOTE: https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b
 CVE-2024-8372 (Improper sanitization of the value of the 'srcset' attribute in Angula ...)
 	- angular.js <unfixed> (bug #1088804)
 	[trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - angular.js <postponed> (Minor issue)
-	- civicrm <unfixed>
-	- openshot-qt <unfixed>
 	NOTE: https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017
 CVE-2024-8042 (Rapid7 Insight Platform versions between November 2019 and August 14,  ...)
 	NOT-FOR-US: Rapid7 Insight Platform
@@ -135945,8 +135939,6 @@ CVE-2024-21490 (This affects versions of the package angular from 1.3.0. A regul
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <postponed> (Fix along with the next DLA)
-	- civicrm <unfixed>
-	- openshot-qt <unfixed>
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
 CVE-2024-1406 (A vulnerability was found in Linksys WRT54GL 4.30.18. It has been decl ...)
 	NOT-FOR-US: Linksys
@@ -195283,8 +195275,6 @@ CVE-2023-26118 (Versions of the package angular from 1.4.9 are vulnerable to Reg
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <no-dsa> (Minor issue)
-	- civicrm <unfixed>
-	- openshot-qt <unfixed>
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046
 CVE-2023-26117 (Versions of the package angular from 1.0.0 are vulnerable to Regular E ...)
 	- angular.js <unfixed> (bug #1036694)
@@ -195292,8 +195282,6 @@ CVE-2023-26117 (Versions of the package angular from 1.0.0 are vulnerable to Reg
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <no-dsa> (Minor issue)
-	- civicrm <unfixed>
-	- openshot-qt <unfixed>
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045
 CVE-2023-26116 (Versions of the package angular from 1.2.21 are vulnerable to Regular  ...)
 	- angular.js <unfixed> (bug #1036694)
@@ -195301,8 +195289,6 @@ CVE-2023-26116 (Versions of the package angular from 1.2.21 are vulnerable to Re
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <no-dsa> (Minor issue)
-	- civicrm <unfixed>
-	- openshot-qt <unfixed>
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044
 CVE-2023-26115 (All versions of the package word-wrap are vulnerable to Regular Expres ...)
 	NOT-FOR-US: Node.js word-wrap module
@@ -260054,7 +260040,6 @@ CVE-2022-31160 (jQuery UI is a curated set of user interface interactions, effec
 	{DLA-3230-1}
 	- jqueryui 1.13.2+dfsg-1 (bug #1015982)
 	[bullseye] - jqueryui 1.12.1+dfsg-8+deb11u2
-	- openshot-qt <unfixed>
 	NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
 	NOTE: https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9 (1.13.2)
 CVE-2022-31159 (The AWS SDK for Java enables Java developers to work with Amazon Web S ...)
@@ -275661,8 +275646,6 @@ CVE-2022-25869 (All versions of package angular are vulnerable to Cross-site Scr
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <no-dsa> (Minor issue)
-	- civicrm <unfixed>
-	- openshot-qt <unfixed>
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781
 CVE-2022-25867 (The package io.socket:socket.io-client before 2.0.1 are vulnerable to  ...)
 	NOT-FOR-US: socket.io-client-java
@@ -275724,8 +275707,6 @@ CVE-2022-25844 (The package angular after 1.7.0 are vulnerable to Regular Expres
 	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <no-dsa> (Minor issue, probably even not-affected)
 	[stretch] - angular.js <ignored> (Nodejs in stretch not covered by security support)
-	- civicrm <unfixed>
-	- openshot-qt <unfixed>
 	NOTE: https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735
 CVE-2022-25843
 	RESERVED
@@ -306851,7 +306832,6 @@ CVE-2021-41184 (jQuery-UI is the official jQuery user interface library. Prior t
 	- otrs2 6.3.1-1
 	[bullseye] - otrs2 <no-dsa> (Non-free not supported)
 	[stretch] - otrs2 <no-dsa> (Non-free not supported)
-	- openshot-qt <unfixed>
 	NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
 	NOTE: https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280
 	NOTE: https://www.znuny.org/en/advisories/zsa-2022-01
@@ -306861,7 +306841,6 @@ CVE-2021-41183 (jQuery-UI is the official jQuery user interface library. Prior t
 	- jqueryui 1.13.0+dfsg-1
 	[bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1
 	[stretch] - jqueryui <no-dsa> (Minor issue)
-	- openshot-qt <unfixed>
 	- otrs2 6.3.1-1
 	[bullseye] - otrs2 <no-dsa> (Non-free not supported)
 	[stretch] - otrs2 <no-dsa> (Non-free not supported)
@@ -306876,7 +306855,6 @@ CVE-2021-41182 (jQuery-UI is the official jQuery user interface library. Prior t
 	- jqueryui 1.13.0+dfsg-1
 	[bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1
 	[stretch] - jqueryui <no-dsa> (Minor issue)
-	- openshot-qt <unfixed>
 	- otrs2 6.3.1-1
 	[bullseye] - otrs2 <no-dsa> (Non-free not supported)
 	[stretch] - otrs2 <no-dsa> (Non-free not supported)
@@ -423663,7 +423641,6 @@ CVE-2020-7676 (angular.js prior to 1.8.0 allows cross site scripting. The regex-
 	[buster] - angular.js <no-dsa> (Minor issue; can be fixed via point release)
 	[stretch] - angular.js <ignored> (Nodejs in stretch not covered by security support)
 	[jessie] - angular.js <no-dsa> (Minor issue, low usage of 2014-era Nodejs)
-	- openshot-qt <unfixed>
 	NOTE: https://github.com/angular/angular.js/pull/17028
 	NOTE: https://snyk.io/vuln/SNYK-JS-ANGULAR-570058
 CVE-2020-7675 (cd-messenger through 2.7.26 is vulnerable to Arbitrary Code Execution. ...)
@@ -470015,8 +469992,6 @@ CVE-2019-10768 (In AngularJS before 1.7.9 the function `merge()` could be tricke
 	[buster] - angular.js <no-dsa> (Minor issue; can be fixed via point release)
 	[stretch] - angular.js <ignored> (Nodejs in stretch not covered by security support)
 	[jessie] - angular.js <not-affected> (vulnerable code is not present, deep merging introduced later)
-	- civicrm <unfixed>
-	- openshot-qt <unfixed>
 	NOTE: https://github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3
 	NOTE: https://snyk.io/vuln/SNYK-JS-ANGULAR-534884
 CVE-2019-10767 (An attacker can include file contents from outside the `/adapter/xxx/` ...)
@@ -613844,7 +613819,6 @@ CVE-2016-7103 (Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12
 	- jqueryui 1.12.1+dfsg-1
 	[jessie] - jqueryui <no-dsa> (Minor issue)
 	[wheezy] - jqueryui <no-dsa> (Minor issue)
-	- openshot-qt <unfixed>
 	NOTE: https://nodesecurity.io/advisories/127
 	NOTE: https://github.com/jquery/jquery-ui/pull/1622
 	NOTE: https://github.com/jquery/jquery-ui/pull/1632



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e5484f0931a4b5a3e269dbef83aee25c8a6c50e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e5484f0931a4b5a3e269dbef83aee25c8a6c50e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250509/cc813232/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list