Version in base suite: 0.9.24-1

Base version: yard_0.9.24-1
Target version: yard_0.9.24-1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/y/yard/yard_0.9.24-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/y/yard/yard_0.9.24-1+deb11u1.dsc

 changelog                         |    6 +++++
 patches/0010-CVE-2024-27285.patch |   44 ++++++++++++++++++++++++++++++++++++++
 patches/series                    |    1 
 3 files changed, 51 insertions(+)

gpgv: Signature made Thu Feb 27 10:17:19 2020 UTC
gpgv:                using RSA key 9CCD6B319DBF8E40AB1ABD1A89AF82B739CD217A
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on /srv/release.debian.org/tmp/tmpjwgpcqrw/yard_0.9.24-1.dsc
diff -Nru yard-0.9.24/debian/changelog yard-0.9.24/debian/changelog
--- yard-0.9.24/debian/changelog	2020-02-25 22:27:56.000000000 +0000
+++ yard-0.9.24/debian/changelog	2024-03-01 10:50:42.000000000 +0000
@@ -1,3 +1,9 @@
+yard (0.9.24-1+deb11u1) bullseye-security; urgency=medium
+
+  * CVE-2024-27285 (Closes: #1065118)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 01 Mar 2024 11:50:42 +0100
+
 yard (0.9.24-1) unstable; urgency=medium
 
   * New upstream version 0.9.24
diff -Nru yard-0.9.24/debian/patches/0010-CVE-2024-27285.patch yard-0.9.24/debian/patches/0010-CVE-2024-27285.patch
--- yard-0.9.24/debian/patches/0010-CVE-2024-27285.patch	1970-01-01 00:00:00.000000000 +0000
+++ yard-0.9.24/debian/patches/0010-CVE-2024-27285.patch	2024-03-01 10:50:31.000000000 +0000
@@ -0,0 +1,44 @@
+Combined patch of the following upstream fixes:
+
+From d78fc393d603c4fc35975969296ed381146a29d4 Mon Sep 17 00:00:00 2001
+From: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
+Date: Wed, 28 Feb 2024 12:57:39 -0500
+Subject: [PATCH] Update frames.erb
+
+From c88406e4b78f8dd4ba38c79eea0bcec716dbbef8 Mon Sep 17 00:00:00 2001
+From: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
+Date: Thu, 29 Feb 2024 17:01:50 -0500
+Subject: [PATCH] Update frames.erb
+
+From 2a0b9990b64ceeeb0456177c593e36e204a06df1 Mon Sep 17 00:00:00 2001
+From: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
+Date: Thu, 29 Feb 2024 22:12:11 +0000
+Subject: [PATCH] assign url_for_main to a variable
+
+From a831a596b2a7cabdd2e17855dd179af2ebf3d559 Mon Sep 17 00:00:00 2001
+From: Loren Segal <lsegal@soen.ca>
+Date: Thu, 29 Feb 2024 14:14:48 -0800
+Subject: [PATCH] Fix semicolon
+
+--- yard-0.9.24.orig/templates/default/fulldoc/html/frames.erb
++++ yard-0.9.24/templates/default/fulldoc/html/frames.erb
+@@ -5,10 +5,15 @@
+ 	<title><%= options.title %></title>
+ </head>
+ <script type="text/javascript">
+-  var match = unescape(window.location.hash).match(/^#!(.+)/);
+-  var name = match ? match[1] : '<%= url_for_main %>';
+-  name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
+-  window.top.location = name;
++var mainUrl = '<%= url_for_main %>';
++try {
++    var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
++    var name = match ? match[1] : mainUrl;
++    var url = new URL(name, location.href);
++    window.top.location.replace(url.origin === location.origin ? name : mainUrl);
++} catch (e) {
++    window.top.location.replace(mainUrl);
++}
+ </script>
+ <noscript>
+   <h1>Oops!</h1>
diff -Nru yard-0.9.24/debian/patches/series yard-0.9.24/debian/patches/series
--- yard-0.9.24/debian/patches/series	2020-02-25 22:27:56.000000000 +0000
+++ yard-0.9.24/debian/patches/series	2024-03-01 10:49:23.000000000 +0000
@@ -7,3 +7,4 @@
 0007-remove-git-usage-in-gemspec.patch
 0008-no-bundler-in-specs.patch
 0009-skip-some-config-specs-with-ruby2.7.patch
+0010-CVE-2024-27285.patch