Hi! On Mon, Apr 25, 2022 at 01:48:43PM +0100, Neil Williams wrote: > On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams <codeh...@debian.org> wrote: > > Please note, the current homepage for libowasp-antisamy-java appears to > > have no commits beyond version 1.5.3 but the change for CVE-2022-29577 > > does match the source code for libowasp-antisamy-java: > > https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410 > > Apologies - that paragraph contains a typo - the matching change is for > CVE-2022-28367: > > The fix in what looks like the new upstream is: > https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae
Could you please make sure to as well include https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 to make the fix complete. Possibly it's best to just update to the new 1.6.7 upstream version. Regards, Salvatore