Bug#1010154: libowasp-antisamy-java: CVE-2022-28366 + CVE-2022-28367
On Mon, 25 Apr 2022 21:43:30 -0700 tony mancill wrote: > On Mon, Apr 25, 2022 at 07:22:12PM +0200, Salvatore Bonaccorso wrote: > > Hi! > > > > On Mon, Apr 25, 2022 at 01:48:43PM +0100, Neil Williams wrote: > > > On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams > > > wrote: > > > > Please note, the current homepage for libowasp-antisamy-java > > > > appears to have no commits beyond version 1.5.3 but the change > > > > for CVE-2022-29577 does match the source code for > > > > libowasp-antisamy-java: > > > > https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410 > > > > > > Apologies - that paragraph contains a typo - the matching change > > > is for CVE-2022-28367: > > > > > > The fix in what looks like the new upstream is: > > > https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae > > > > Could you please make sure to as well include > > https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 > > to make the fix complete. > > > > Possibly it's best to just update to the new 1.6.7 upstream version. > > Hello, > > I have started working on the update to the latest upstream (1.6.8). > Updating will require a NEW package for: > > https://github.com/HtmlUnit/htmlunit-neko Note: htmlunit-neko also has open CVEs - these are currently ignored by Debian but would be attributed to this package once an ITP bug is created or a package uploaded. It would be worth considering how to manage the ongoing work that may be required for both of these packages. > > (not to be confused with https://tracker.debian.org/pkg/nekohtml) > > I believe that's the only missing package, but haven't yet assessed > htmlunit-neko to determine if there are other transitive dependencies. -- Neil Williams = https://linux.codehelp.co.uk/ pgp7UNoY2DDDr.pgp Description: OpenPGP digital signature
Bug#1010154: libowasp-antisamy-java: CVE-2022-28366 + CVE-2022-28367
On Mon, Apr 25, 2022 at 07:22:12PM +0200, Salvatore Bonaccorso wrote: > Hi! > > On Mon, Apr 25, 2022 at 01:48:43PM +0100, Neil Williams wrote: > > On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams > > wrote: > > > Please note, the current homepage for libowasp-antisamy-java appears to > > > have no commits beyond version 1.5.3 but the change for CVE-2022-29577 > > > does match the source code for libowasp-antisamy-java: > > > https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410 > > > > Apologies - that paragraph contains a typo - the matching change is for > > CVE-2022-28367: > > > > The fix in what looks like the new upstream is: > > https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae > > Could you please make sure to as well include > https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 > to make the fix complete. > > Possibly it's best to just update to the new 1.6.7 upstream version. Hello, I have started working on the update to the latest upstream (1.6.8). Updating will require a NEW package for: https://github.com/HtmlUnit/htmlunit-neko (not to be confused with https://tracker.debian.org/pkg/nekohtml) I believe that's the only missing package, but haven't yet assessed htmlunit-neko to determine if there are other transitive dependencies. Cheers, tony signature.asc Description: PGP signature
Bug#1010154: libowasp-antisamy-java: CVE-2022-28366 + CVE-2022-28367
Hi! On Mon, Apr 25, 2022 at 01:48:43PM +0100, Neil Williams wrote: > On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams wrote: > > Please note, the current homepage for libowasp-antisamy-java appears to > > have no commits beyond version 1.5.3 but the change for CVE-2022-29577 > > does match the source code for libowasp-antisamy-java: > > https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410 > > Apologies - that paragraph contains a typo - the matching change is for > CVE-2022-28367: > > The fix in what looks like the new upstream is: > https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae Could you please make sure to as well include https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 to make the fix complete. Possibly it's best to just update to the new 1.6.7 upstream version. Regards, Salvatore
Bug#1010154: libowasp-antisamy-java: CVE-2022-28366 + CVE-2022-28367
On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams wrote: > Please note, the current homepage for libowasp-antisamy-java appears to > have no commits beyond version 1.5.3 but the change for CVE-2022-29577 > does match the source code for libowasp-antisamy-java: > https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410 Apologies - that paragraph contains a typo - the matching change is for CVE-2022-28367: The fix in what looks like the new upstream is: https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae -- Neil Williams = https://linux.codehelp.co.uk/ pgpesSBU393Yq.pgp Description: OpenPGP digital signature
Bug#1010154: libowasp-antisamy-java: CVE-2022-28366 + CVE-2022-28367
Source: libowasp-antisamy-java Version: 1.5.3+dfsg-1.1 Severity: important Tags: security X-Debbugs-Cc: codeh...@debian.org, Debian Security Team Hi, Please note, the current homepage for libowasp-antisamy-java appears to have no commits beyond version 1.5.3 but the change for CVE-2022-29577 does match the source code for libowasp-antisamy-java: https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410 So I am reporting the bug on the basis that upstream looks to have moved to a new location. There may be other CVEs which need to be attributed in this case. Please confirm and update the package links if correct. The following vulnerabilities were published for libowasp-antisamy-java. CVE-2022-28367[0]: | OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE | content with crafted input. The output serializer does not properly | encode the supposed Cascading Style Sheets (CSS) content. CVE-2022-28366[1]: | Certain Neko-related HTML parsers allow a denial of service via | crafted Processing Instruction (PI) input that causes excessive heap | memory consumption. In particular, this issue exists in HtmlUnit-Neko | through 2.26, and is fixed in 2.27. This issue also exists in | CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before | 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this | may be related to CVE-2022-24939. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-28367 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28367 [1] https://security-tracker.debian.org/tracker/CVE-2022-28366 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28366 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled