On Mon, 25 Apr 2022 21:43:30 -0700 tony mancill <tmanc...@debian.org> wrote: > On Mon, Apr 25, 2022 at 07:22:12PM +0200, Salvatore Bonaccorso wrote: > > Hi! > > > > On Mon, Apr 25, 2022 at 01:48:43PM +0100, Neil Williams wrote: > > > On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams > > > <codeh...@debian.org> wrote: > > > > Please note, the current homepage for libowasp-antisamy-java > > > > appears to have no commits beyond version 1.5.3 but the change > > > > for CVE-2022-29577 does match the source code for > > > > libowasp-antisamy-java: > > > > https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410 > > > > > > Apologies - that paragraph contains a typo - the matching change > > > is for CVE-2022-28367: > > > > > > The fix in what looks like the new upstream is: > > > https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae > > > > Could you please make sure to as well include > > https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 > > to make the fix complete. > > > > Possibly it's best to just update to the new 1.6.7 upstream version. > > Hello, > > I have started working on the update to the latest upstream (1.6.8). > Updating will require a NEW package for: > > https://github.com/HtmlUnit/htmlunit-neko
Note: htmlunit-neko also has open CVEs - these are currently ignored by Debian but would be attributed to this package once an ITP bug is created or a package uploaded. It would be worth considering how to manage the ongoing work that may be required for both of these packages. > > (not to be confused with https://tracker.debian.org/pkg/nekohtml) > > I believe that's the only missing package, but haven't yet assessed > htmlunit-neko to determine if there are other transitive dependencies. -- Neil Williams ============= https://linux.codehelp.co.uk/
pgp7UNoY2DDDr.pgp
Description: OpenPGP digital signature