Debian Patches
Status for angular.js/1.8.3-3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2024-21490.patch | CVE-2024-21490 and CVE-2024-8372 Fix ReDoS vulnerability with ng-srcset Fix also CVE-2024-8372 by sanitizing |
Chris Rowe <chris@pebblepad.co.uk> | yes | debian upstream | backport, https://github.com/PebblePad/angular.js/commit/2111de19f71fa70ed8aa0a0797612718a6f6e867 | 2024-09-17 |
| CVE-2022-25844.patch | CVE-2022-25844 Avoid a redos by avoiding regex |
Alister Stevens <alister@pebblepad.co.uk> | yes | debian upstream | part, https://github.com/PebblePad/angular.js/commit/ecfd8d3389d1ef813735febf6bf48ff5d970bc51 | 2025-05-12 |
| CVE-2023-26116.patch | CVE-2023-26116 Fix the redos by using regex.flags available since 2020 for all browser |
Bastien Roucariès <rouca@debian.org> | yes | upstream | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036694 | 2025-05-12 |
| CVE-2023-26117.patch | CVE-2023-26117 Fix by linear replace a redos |
Bastien Roucariès <rouca@debian.org> | yes | debian upstream | 2025-05-12 | |
| CVE-2025-2336.patch | CVE-2025-2336 An improper sanitization vulnerability has been identified in AngularJS' ngSanitize module, which allows attackers to bypass common image source restrictions normally applied to image elements. This bypass can further lead to a form of Content Spoofing. Similarly, the application's performance and behavior could be negatively affected by using too large or slow-to-load images. The $sanitize service, which is provided by the angular-sanitize package, is used for sanitizing HTML strings by stripping all potentially dangerous tokens. As part of the sanitization, it checks the URLs of images to ensure they abide by the defined image source rules. This allows improving the security of an application by setting restrictions on the sources of images that can be shown. For example, only allowing images from a specific domain. However, due to a bug in the $sanitize service, SVG <image> elements are not correctly detected as images, even when SVG support is enabled. As a result, the image source restrictions are not applied to the images that can be shown. This allows bypassing the image source restrictions configured in the application, which can also lead to a form of Content Spoofing. Similarly, the application's performance and behavior can be negatively affected by using too large or slow-to-load images. |
Bastien Roucariès <rouca@debian.org> | yes | upstream | 2025-06-07 | |
| CVE-2023-26118.patch | CVE-2023-26118 Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. |
Bastien Roucariès <rouca@debian.org> | yes | debian upstream | backport, https://github.com/angular/angular/blob/3c9b8d9de5978dad99d49aa0107a70eddc4d1968/packages/misc/angular-in-memory-web-api/src/interfaces.ts#L135 | 2025-05-12 |
| CVE-2025-0716.patch | Fix improper sanitisation of href and xlink:href on SVG image elements Fix CVE-2025-0716 |
Alister Stevens <alister@pebblepad.co.uk> | yes | upstream | backport, https://github.com/PebblePad/angular.js/commit/71513129efd044c09e52d47455d73c62ff3287d8 | 2025-05-06 |
| CVE-2024-8373.patch | CVE-2024-8373 | Alister Stevens <alister@pebblepad.co.uk> | no | backport, https://github.com/PebblePad/angular.js/commit/7cb36590cdfb23fc2106868b21eb7a78311eb36d | 2024-09-18 |
All known versions for source package 'angular.js'
- 1.8.3-3 (sid, forky, trixie)
- 1.8.3-1+deb12u1 (bookworm)