Debian Quality Assurance

angular.js (1.8.3-3) [PTS] [DDPO]

OLD: VCS is behind the version in the archive: 1.8.3-2 < 1.8.3-3.

• Git: https://salsa.debian.org/js-team/angular.js.git
• JSON
  Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
  For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
  The next upload will reset the information from the source package headers.
• Branch: master
• Path: debian/changelog
• Repo size: 155648
• Browser: https://salsa.debian.org/js-team/angular.js
• Last scan: 2025-09-08 17:50:03+00
• Next scan: 2025-09-16 01:26:00+00
• CI pipeline status: failed
• Debian changelog in Git:

  angular.js (1.8.3-2) unstable; urgency=medium
  
    * Team upload
    * Move to js team umbrella
    * Fix CVE-2022-25844 (Closes: #1014779)
      A Regular Expression Denial of Service vulnerability (ReDoS)
      was found by providing a custom locale rule that makes
      it possible to assign the parameter in posPre: ' '.repeat()
      of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value
    * Fix CVE-2023-26116 (Closes: #1036694)
      A Regular Expression Denial of Service (ReDoS) was found
      via the angular.copy() utility function due to the usage
      of an insecure regular expression.
    * Fix CVE-2023-26117:
      A Regular Expression Denial of Service (ReDoS) was found
      via the $resource service due to the usage of an insecure
      regular expression.
    * Fix CVE-2023-26118:
      A Regular Expression Denial of Service (ReDoS) was found
      via the <input type="url"> element due to the usage of an
      insecure regular expression in the input[url] functionality.
      Exploiting this vulnerability is possible by a large
      carefully-crafted input, which can result in catastrophic
      backtracking.
    * Fix CVE-2024-8372: (Closes: #1088804)
      Improper sanitization of the value of the 'srcset'
      attribute in AngularJS allows attackers to bypass
      common image source restrictions, which can also
      lead to a form of Content Spoofing
    * Fix CVE-2024-8373: (Closes: #1088805)
      Improper sanitization of the value of the [srcset]
      attribute in <source> HTML elements in AngularJS allows
      attackers to bypass common image source restrictions,
      which can also lead to a form of Content Spoofing
    * Fix CVE-2024-21490:
      A regular expression used to split
      the value of the ng-srcset directive is vulnerable to
      super-linear runtime due to backtracking. With large
      carefully-crafted input, this can result in catastrophic
      backtracking and cause a denial of service.
    * Fix CVE-2025-0716: (Closes: #1104485)
      Improper sanitization of the value of the 'href'
      and 'xlink:href' attributes in '<image>' SVG elements
      in AngularJS allows attackers to bypass common image
      source restrictions. This can lead to a form of
      Content Spoofing .
    * Fix CVE-2025-2336:
      An improper sanitization vulnerability has been identified
      in ngSanitize module, which allows attackers to bypass
      common image source restrictions normally
      applied to image elements. This bypass can further lead to a form of
      Content Spoofing. Similarly, the application's performance and behavior
      could be negatively affected by using too large or slow-to-load images.
  
  
   -- Bastien Roucariès <rouca@debian.org>  Sun, 11 May 2025 23:40:38 +0200

• This branch is even with tag debian/1.8.3-2

Package: JSON [Main page]

---

Back to the Debian Project homepage.

---