Your message dated Sat, 19 Jul 2025 21:04:44 +0000
with message-id <[email protected]>
and subject line Bug#1088805: fixed in angular.js 1.8.3-2
has caused the Debian Bug report #1088805,
regarding angular.js: CVE-2024-8373
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1088805: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088805
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: angular.js
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for angular.js.
CVE-2024-8373[0]:
| Improper sanitization of the value of the [srcset] attribute in
| <source> HTML elements in AngularJS allows attackers to bypass
| common image source restrictions, which can also lead to a form of
| Content Spoofing https://owasp.org/www-
| community/attacks/Content_Spoofing . This issue affects all
| versions of AngularJS. Note: The AngularJS project is End-of-Life
| and will not receive any updates to address this issue. For more
| information see here https://docs.angularjs.org/misc/version-
| support-status .
https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-8373
https://www.cve.org/CVERecord?id=CVE-2024-8373
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: angular.js
Source-Version: 1.8.3-2
Done: Bastien Roucariès <[email protected]>
We believe that the bug you reported is fixed in the latest version of
angular.js, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <[email protected]> (supplier of updated angular.js package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 11 May 2025 23:40:38 +0200
Source: angular.js
Architecture: source
Version: 1.8.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Bastien Roucariès <[email protected]>
Closes: 1014779 1036694 1088804 1088805 1104485
Changes:
angular.js (1.8.3-2) unstable; urgency=medium
.
* Team upload
* Move to js team umbrella
* Fix CVE-2022-25844 (Closes: #1014779)
A Regular Expression Denial of Service vulnerability (ReDoS)
was found by providing a custom locale rule that makes
it possible to assign the parameter in posPre: ' '.repeat()
of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value
* Fix CVE-2023-26116 (Closes: #1036694)
A Regular Expression Denial of Service (ReDoS) was found
via the angular.copy() utility function due to the usage
of an insecure regular expression.
* Fix CVE-2023-26117:
A Regular Expression Denial of Service (ReDoS) was found
via the $resource service due to the usage of an insecure
regular expression.
* Fix CVE-2023-26118:
A Regular Expression Denial of Service (ReDoS) was found
via the <input type="url"> element due to the usage of an
insecure regular expression in the input[url] functionality.
Exploiting this vulnerability is possible by a large
carefully-crafted input, which can result in catastrophic
backtracking.
* Fix CVE-2024-8372: (Closes: #1088804)
Improper sanitization of the value of the 'srcset'
attribute in AngularJS allows attackers to bypass
common image source restrictions, which can also
lead to a form of Content Spoofing
* Fix CVE-2024-8373: (Closes: #1088805)
Improper sanitization of the value of the [srcset]
attribute in <source> HTML elements in AngularJS allows
attackers to bypass common image source restrictions,
which can also lead to a form of Content Spoofing
* Fix CVE-2024-21490:
A regular expression used to split
the value of the ng-srcset directive is vulnerable to
super-linear runtime due to backtracking. With large
carefully-crafted input, this can result in catastrophic
backtracking and cause a denial of service.
* Fix CVE-2025-0716: (Closes: #1104485)
Improper sanitization of the value of the 'href'
and 'xlink:href' attributes in '<image>' SVG elements
in AngularJS allows attackers to bypass common image
source restrictions. This can lead to a form of
Content Spoofing .
* Fix CVE-2025-2336:
An improper sanitization vulnerability has been identified
in ngSanitize module, which allows attackers to bypass
common image source restrictions normally
applied to image elements. This bypass can further lead to a form of
Content Spoofing. Similarly, the application's performance and behavior
could be negatively affected by using too large or slow-to-load images.
Checksums-Sha1:
b596cc179c4b093b1f734a0829351e8d261bc7a2 2072 angular.js_1.8.3-2.dsc
282bf41aa9eac1cab7324c9377da5604b441cff0 25680 angular.js_1.8.3-2.debian.tar.xz
44425eee6f22d8e648f76d32f76ea2a091bda24c 6546
angular.js_1.8.3-2_amd64.buildinfo
Checksums-Sha256:
ea662056e889bef92855d022ce2fa14595c6a5d84ee87ee2980d3a160c7deb52 2072
angular.js_1.8.3-2.dsc
0013d07cdd01644ccae65ee1cd83af487ac941b2d2392ba1ebbbfd451608d748 25680
angular.js_1.8.3-2.debian.tar.xz
071e35446d7162e9e4475d77e931d3be03168bfea15d1626c97d41b16e70dfed 6546
angular.js_1.8.3-2_amd64.buildinfo
Files:
531ba1e75543a8dbfa4793c75f7485f1 2072 javascript optional
angular.js_1.8.3-2.dsc
88af6dda306368e567a9759c443b60e4 25680 javascript optional
angular.js_1.8.3-2.debian.tar.xz
017798686d54350615f9d308a323fc90 6546 javascript optional
angular.js_1.8.3-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmh8BHMACgkQADoaLapB
CF9V5hAApo8LPstec672xQ5U3wm5PFbmsL+P3xFXabpvBhr+Fswwb+HFRgCdDlLQ
Lvizs5olOrNZzThQrfDUhuXtkC+c0zL7dZQIa62UC5ufUzBHrkNDY11CirM8PpHk
B4ZOnvY0iQDVJOb9Jkt6kQ9Kx+P5k69rp4xjwZr1Uqc94LJ3vC3hIjH82UOgD/hr
k+hYsJ0eDu6PSG9oz4JNbzdSO8IHjlh+p69y8S/as1QjImPdNME6H6LgJsiTfyk8
bAWA6TPRoybR6CWBSsrDegtnqMZd9D6oYWCK1ivnx0txefg4aNNBsd2siE743RtH
+Sau1jGKvi1Ba3JmFRyYBVxDb9bfGTqTq7qXagl4wInxDFpyQOtw0WNZ4jucwqcv
6u6W/gJmSY+3vgTRv9M6Fjf/XuGEzv1AaAQzgSaUkgMrdPR+9IvOB49BKd969ZDk
+6Ly1kPGBXAQohOF0jqux+srT9C92amMu8IEiePB9LsKCd5jr7gqaPktKSymVpNA
hIaZ0r+nXr8k2+Bz+4gctSTHBuwx0vKI3Xm5doGhSfj81c6UZ7uAmopYcnr/P5ho
B+uaZsSkHhl/04AmY3T9sy34fkRWtjNXUW8InTRmK9WuuNT5HlxFdSCnMbh+Clc3
aQWe0nPtok/jeyjomKHp8vdC8VhZlPP/O/KOvNatV8RV5jGaI5A=
=ofMw
-----END PGP SIGNATURE-----
pgpxu08UPgiYu.pgp
Description: PGP signature
--- End Message ---
