Version in base suite: 1.14.2+dfsg1-1

Base version: dojo_1.14.2+dfsg1-1
Target version: dojo_1.14.2+dfsg1-1+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/dojo/dojo_1.14.2+dfsg1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/d/dojo/dojo_1.14.2+dfsg1-1+deb10u1.dsc

 changelog                    |    7 ++++++
 patches/CVE-2019-10785.patch |   45 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 53 insertions(+)

diff -Nru dojo-1.14.2+dfsg1/debian/changelog dojo-1.14.2+dfsg1/debian/changelog
--- dojo-1.14.2+dfsg1/debian/changelog	2018-10-30 17:40:03.000000000 +0000
+++ dojo-1.14.2+dfsg1/debian/changelog	2020-03-04 05:41:25.000000000 +0000
@@ -1,3 +1,10 @@
+dojo (1.14.2+dfsg1-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Cleanup improper regex usage (Closes: #952771, CVE-2019-10785)
+
+ -- Xavier Guimard <yadd@debian.org>  Wed, 04 Mar 2020 06:41:25 +0100
+
 dojo (1.14.2+dfsg1-1) unstable; urgency=medium
 
   * New upstream version. Fix a bower.json file error.
diff -Nru dojo-1.14.2+dfsg1/debian/patches/CVE-2019-10785.patch dojo-1.14.2+dfsg1/debian/patches/CVE-2019-10785.patch
--- dojo-1.14.2+dfsg1/debian/patches/CVE-2019-10785.patch	1970-01-01 00:00:00.000000000 +0000
+++ dojo-1.14.2+dfsg1/debian/patches/CVE-2019-10785.patch	2020-03-04 05:39:30.000000000 +0000
@@ -0,0 +1,45 @@
+Description: Cleanup improper regex usage
+Author: Paul <paul@sitepen.com>
+Origin: upstream, https://github.com/dojo/dojox/pull/317
+Bug: https://github.com/dojo/dojox/pull/315
+Bug-Debian: https://bugs.debian.org/952771
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-02-29
+
+--- a/dojox/dtl/dom.js
++++ b/dojox/dtl/dom.js
+@@ -94,7 +94,7 @@ define([
+ 										var replacement = "";
+ 										for(var p = 2, pl = pair.length; p < pl; p++){
+ 											if(p == 2){
+-												replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace('"', '\\"') + ' %}">';
++												replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace(/"/g, '\\"') + ' %}">';
+ 											}else if(tag == pair[p]) {
+ 												continue;
+ 											}else{
+--- a/dojox/widget/RollingList.js
++++ b/dojox/widget/RollingList.js
+@@ -1050,7 +1050,7 @@ dojo.declare("dojox.widget.RollingList",
+ 			widgetItem.store = this.store;
+ 			widgetItem.item = item;
+ 			if(!widgetItem.label){
+-				widgetItem.attr("label", this.store.getLabel(item).replace(/</,"&lt;"));
++				widgetItem.attr("label", this.store.getLabel(item).replace(/</g,"&lt;"));
+ 			}
+ 			if(widgetItem.focusNode){
+ 				var self = this;
+--- a/dojox/xmpp/util.js
++++ b/dojox/xmpp/util.js
+@@ -3,10 +3,7 @@ dojo.require("dojox.string.Builder");
+ dojo.require("dojox.encoding.base64");
+ 
+ dojox.xmpp.util.xmlEncode = function(str) {
+-	if(str) {
+-		str = str.replace("&", "&amp;").replace(">", "&gt;").replace("<", "&lt;").replace("'", "&apos;").replace('"', "&quot;");
+-	}
+-	return str;
++	return dojo.string.escape(str);
+ };
+ 
+ dojox.xmpp.util.encodeJid = function(jid) {
diff -Nru dojo-1.14.2+dfsg1/debian/patches/series dojo-1.14.2+dfsg1/debian/patches/series
--- dojo-1.14.2+dfsg1/debian/patches/series	2018-10-30 17:38:40.000000000 +0000
+++ dojo-1.14.2+dfsg1/debian/patches/series	2020-03-04 05:39:30.000000000 +0000
@@ -1,3 +1,4 @@
 0001-Compatibility-patch-for-newer-rhino.patch
 0002-Do-notrun-test-suite-in-build.patch
 0003-Disable-flash-storage.patch
+CVE-2019-10785.patch