Version in base suite: 0.9.28-2

Base version: yard_0.9.28-2
Target version: yard_0.9.28-2+deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/y/yard/yard_0.9.28-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/y/yard/yard_0.9.28-2+deb12u2.dsc

 changelog                         |   14 +++++++++
 patches/0013-CVE-2024-27285.patch |   54 ++++++++++++++++++++++++++++++++++++++
 patches/series                    |    1 
 3 files changed, 69 insertions(+)

diff -Nru yard-0.9.28/debian/changelog yard-0.9.28/debian/changelog
--- yard-0.9.28/debian/changelog	2023-02-08 15:59:48.000000000 +0000
+++ yard-0.9.28/debian/changelog	2024-03-04 09:54:40.000000000 +0000
@@ -1,3 +1,17 @@
+yard (0.9.28-2+deb12u2) bookworm-security; urgency=high
+
+  * Update patch for CVE-2024-27285
+    (Closes: #1065118)
+
+ -- Antonio Terceiro <terceiro@debian.org>  Mon, 04 Mar 2024 06:54:40 -0300
+
+yard (0.9.28-2+deb12u1) bookworm-security; urgency=high
+
+  * Add upstream patch to fix XSS vulnerability in frames.html
+    [CVE-2024-27285]
+
+ -- Antonio Terceiro <terceiro@debian.org>  Wed, 28 Feb 2024 18:23:28 -0300
+
 yard (0.9.28-2) unstable; urgency=medium
 
   * Relax version dependency on webrick gem
diff -Nru yard-0.9.28/debian/patches/0013-CVE-2024-27285.patch yard-0.9.28/debian/patches/0013-CVE-2024-27285.patch
--- yard-0.9.28/debian/patches/0013-CVE-2024-27285.patch	1970-01-01 00:00:00.000000000 +0000
+++ yard-0.9.28/debian/patches/0013-CVE-2024-27285.patch	2024-03-04 09:54:40.000000000 +0000
@@ -0,0 +1,54 @@
+From d78fc393d603c4fc35975969296ed381146a29d4 Mon Sep 17 00:00:00 2001
+From: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
+Date: Wed, 28 Feb 2024 12:57:39 -0500
+Subject: [PATCH] Update frames.erb
+
+Combined patch of the following upstream fixes:
+
+  From d78fc393d603c4fc35975969296ed381146a29d4 Mon Sep 17 00:00:00 2001
+  From: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
+  Date: Wed, 28 Feb 2024 12:57:39 -0500
+  Subject: [PATCH] Update frames.erb
+
+  From c88406e4b78f8dd4ba38c79eea0bcec716dbbef8 Mon Sep 17 00:00:00 2001
+  From: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
+  Date: Thu, 29 Feb 2024 17:01:50 -0500
+  Subject: [PATCH] Update frames.erb
+
+  From 2a0b9990b64ceeeb0456177c593e36e204a06df1 Mon Sep 17 00:00:00 2001
+  From: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
+  Date: Thu, 29 Feb 2024 22:12:11 +0000
+  Subject: [PATCH] assign url_for_main to a variable
+
+  From a831a596b2a7cabdd2e17855dd179af2ebf3d559 Mon Sep 17 00:00:00 2001
+  From: Loren Segal <lsegal@soen.ca>
+  Date: Thu, 29 Feb 2024 14:14:48 -0800
+  Subject: [PATCH] Fix semicolon
+
+
+---
+ templates/default/fulldoc/html/frames.erb | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/templates/default/fulldoc/html/frames.erb
++++ b/templates/default/fulldoc/html/frames.erb
+@@ -5,10 +5,15 @@
+ 	<title><%= options.title %></title>
+ </head>
+ <script type="text/javascript">
+-  var match = unescape(window.location.hash).match(/^#!(.+)/);
+-  var name = match ? match[1] : '<%= url_for_main %>';
+-  name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
+-  window.top.location = name;
++var mainUrl = '<%= url_for_main %>';
++try {
++    var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
++    var name = match ? match[1] : mainUrl;
++    var url = new URL(name, location.href);
++    window.top.location.replace(url.origin === location.origin ? name : mainUrl);
++} catch (e) {
++    window.top.location.replace(mainUrl);
++}
+ </script>
+ <noscript>
+   <h1>Oops!</h1>
diff -Nru yard-0.9.28/debian/patches/series yard-0.9.28/debian/patches/series
--- yard-0.9.28/debian/patches/series	2023-02-08 15:59:48.000000000 +0000
+++ yard-0.9.28/debian/patches/series	2024-03-04 09:54:40.000000000 +0000
@@ -10,3 +10,4 @@
 0010-Disable-failing-test-searching-for-.gem-files.patch
 0011-locale_spec-skip-test-that-fails-on-ruby3.1-when-not.patch
 0012-Relax-version-dependency-on-webrick-gem.patch
+0013-CVE-2024-27285.patch