-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 11 May 2025 23:40:38 +0200
Source: angular.js
Binary: libjs-angularjs
Architecture: all
Version: 1.8.3-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) <buildd_amd64-x86-grnet-03@buildd.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 libjs-angularjs - lets you write client-side web applications as if you had a smart
Closes: 1014779 1036694 1088804 1088805 1104485
Changes:
 angular.js (1.8.3-1+deb12u1) bookworm; urgency=medium
 .
   * Team upload
   * Move to js team umbrella
   * Fix CVE-2022-25844 (Closes: #1014779)
     A Regular Expression Denial of Service vulnerability (ReDoS)
     was found by providing a custom locale rule that makes
     it possible to assign the parameter in posPre: ' '.repeat()
     of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value
   * Fix CVE-2023-26116 (Closes: #1036694)
     A Regular Expression Denial of Service (ReDoS) was found
     via the angular.copy() utility function due to the usage
     of an insecure regular expression.
   * Fix CVE-2023-26117:
     A Regular Expression Denial of Service (ReDoS) was found
     via the $resource service due to the usage of an insecure
     regular expression.
   * Fix CVE-2023-26118:
     A Regular Expression Denial of Service (ReDoS) was found
     via the <input type="url"> element due to the usage of an
     insecure regular expression in the input[url] functionality.
     Exploiting this vulnerability is possible by a large
     carefully-crafted input, which can result in catastrophic
     backtracking.
   * Fix CVE-2024-8372: (Closes: #1088804)
     Improper sanitization of the value of the 'srcset'
     attribute in AngularJS allows attackers to bypass
     common image source restrictions, which can also
     lead to a form of Content Spoofing
   * Fix CVE-2024-8373: (Closes: #1088805)
     Improper sanitization of the value of the [srcset]
     attribute in <source> HTML elements in AngularJS allows
     attackers to bypass common image source restrictions,
     which can also lead to a form of Content Spoofing
   * Fix CVE-2024-21490:
     A regular expression used to split
     the value of the ng-srcset directive is vulnerable to
     super-linear runtime due to backtracking. With large
     carefully-crafted input, this can result in catastrophic
     backtracking and cause a denial of service.
   * Fix CVE-2025-0716: (Closes: #1104485)
     Improper sanitization of the value of the 'href'
     and 'xlink:href' attributes in '<image>' SVG elements
     in AngularJS allows attackers to bypass common image
     source restrictions. This can lead to a form of
     Content Spoofing .
   * Fix CVE-2025-2336:
     An improper sanitization vulnerability has been identified
     in ngSanitize module, which allows attackers to bypass
     common image source restrictions normally
     applied to image elements. This bypass can further lead to a form of
     Content Spoofing. Similarly, the application's performance and behavior
     could be negatively affected by using too large or slow-to-load images.
Checksums-Sha1:
 91f4ae621c5c2ea516616f9a2eb8c63f8743caa4 6832 angular.js_1.8.3-1+deb12u1_all-buildd.buildinfo
 af2c3f10d28b37397947076c1d35f1bcc35d2abb 817532 libjs-angularjs_1.8.3-1+deb12u1_all.deb
Checksums-Sha256:
 f99512893c53f931705f40097c09177ee7578899c08a19431ad7478b81f764f5 6832 angular.js_1.8.3-1+deb12u1_all-buildd.buildinfo
 cf0081b088994f65bde6beb1429bed350785b903e583305345d63045c991cebe 817532 libjs-angularjs_1.8.3-1+deb12u1_all.deb
Files:
 08cd7f3e16193ad892d1beab2fea3d41 6832 javascript optional angular.js_1.8.3-1+deb12u1_all-buildd.buildinfo
 8b7aa19abd6552c7cc0be5b0dbfe1709 817532 javascript optional libjs-angularjs_1.8.3-1+deb12u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHqtYLkdKRyCY94K8fUw6/tXbAmMFAmk1u3kACgkQfUw6/tXb
AmPWGhAAlYOFj7nhwpTkOXJsUrqqPoqbtrdiRTg4L4rrc1HarcYcOhADxJXmzcJY
IvfcVHNwQct1ASg3YMWLKNH43QQ4cbZEqnyw3j9c2Rel2aZj8NEj3A4AZKVUUCsn
Y1Z2MAPhTJp9KfNy6NGv4MOv+9rg2aOBIkwkWPBT2tR8Pl6U06rBQMrTHgYyUNiZ
GaROj/zzjyfDUaLbUVtvrHyE141DW9DuFvoeUQBqi/5ktok9mypN1qEywq7cSA58
DGESVHJAybtYnj5NT2ebJBN10NejGuwLHdDd9KzsdpHr00szvIj9x4FVu94OuRHu
DeBNEFyb3HXlIWJC+HpbKs+FR2KPahE2OtOUOJ+OJVXMzTariwXIijL+YY+aZpaX
2ayDEkR1qR4XT8MScPGyThpvM/6g95NRgvNFdtH2QhkbOpYm1r6+NGyOiIXu46qS
921ZtSmWoXoSdY7+iIyyMdkQapZ1vfQTfRqIc67abW0TLCBvbGVIwTvM+oKA8FaQ
DOlHAeen6PxIfXcQg9W+FCEbwtPQ+BhDUX1vLgubtoVCoqVDX+NsSfwm+h2VtBA6
+LcIeOkTQPKyK4VqOu8HU6JeY3+69Bm3gqDTGoFi0YrYiOObOkOa/LuCs23Y11xk
KvZK/kXBJctlaTU6unqU5KunFBw+6xoJwsMtz+xAp/Zklo2eDng=
=1HTZ
-----END PGP SIGNATURE-----