Your message dated Fri, 29 Apr 2022 14:34:21 +0000
with message-id <[email protected]>
and subject line Bug#1010339: fixed in libowasp-esapi-java 2.4.0.0-1
has caused the Debian Bug report #1010339,
regarding libowasp-esapi-java: CVE-2022-24891 CVE-2022-23457 -
cross-site-scripting and control-flow bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1010339: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010339
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libowasp-esapi-java
Version: 2.2.3.1-1
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Hi,
The following vulnerabilities were published for libowasp-esapi-java.
CVE-2022-24891[0]:
| ESAPI (The OWASP Enterprise Security API) is a free, open source, web
| application security control library. Prior to version 2.3.0.0, there
| is a potential for a cross-site scripting vulnerability in ESAPI
| caused by a incorrect regular expression for "onsiteURL" in the
| **antisamy-esapi.xml** configuration file that can cause "javascript:"
| URLs to fail to be correctly sanitized. This issue is patched in ESAPI
| 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml**
| configuration files to change the "onsiteURL" regular expression. More
| information about remediation of the vulnerability, including the
| workaround, is available in the maintainers' release notes and
| security bulletin.
CVE-2022-23457[1]:
| ESAPI (The OWASP Enterprise Security API) is a free, open source, web
| application security control library. Prior to version 2.3.0.0, the
| default implementation of `Validator.getValidDirectoryPath(String,
| String, File, boolean)` may incorrectly treat the tested input string
| as a child of the specified parent directory. This potentially could
| allow control-flow bypass checks to be defeated if an attack can
| specify the entire string representing the 'input' path. This
| vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround,
| it is possible to write one's own implementation of the Validator
| interface. However, maintainers do not recommend this.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24891
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24891
[1] https://security-tracker.debian.org/tracker/CVE-2022-23457
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23457
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: libowasp-esapi-java
Source-Version: 2.4.0.0-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libowasp-esapi-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated libowasp-esapi-java
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 29 Apr 2022 15:30:01 +0200
Source: libowasp-esapi-java
Architecture: source
Version: 2.4.0.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1010339
Changes:
libowasp-esapi-java (2.4.0.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 2.4.0.0.
- Fix CVE-2022-23457 and CVE-2022-24891 and a potential DoS vulnerability
(CVE-2022-28366). (Closes: #1010339)
Thanks to Neil Williams for the report.
* Drop servlet-api.patch because it is no longer required.
* Use canonical VCS URI.
Checksums-Sha1:
925ab597c1ba9d87c3acdcda045d2f698a348894 2858 libowasp-esapi-java_2.4.0.0-1.dsc
128ef33dadaf0a250903def449f92d1d39a2a34b 6077824
libowasp-esapi-java_2.4.0.0.orig.tar.gz
a7ed4adf18a82a6f5db6a9b26f7a8651988e0365 11584
libowasp-esapi-java_2.4.0.0-1.debian.tar.xz
36cb32006d60c9c45e94f8190e2fb05d8c89057a 14190
libowasp-esapi-java_2.4.0.0-1_amd64.buildinfo
Checksums-Sha256:
d4eaa4f5ad4d7aec920ad06b79bfb0f6e6b112dd7f3f02d7f9d6e18c262295f7 2858
libowasp-esapi-java_2.4.0.0-1.dsc
010123823540c1eafa818527404cdb1b35adb3c9f197418c754a69fe46df45ee 6077824
libowasp-esapi-java_2.4.0.0.orig.tar.gz
40e90a637d53a560c63c76097ea2abb97a182d74e5769f2a91e535c635a27c0f 11584
libowasp-esapi-java_2.4.0.0-1.debian.tar.xz
788cbd17e959367401d73365b336ca6b77e0546b7be2890363db20ded65a3701 14190
libowasp-esapi-java_2.4.0.0-1_amd64.buildinfo
Files:
70353a4d10cf74bb84811bf6bc6983ab 2858 java optional
libowasp-esapi-java_2.4.0.0-1.dsc
0135a0411677780c9fb1acc2536849ad 6077824 java optional
libowasp-esapi-java_2.4.0.0.orig.tar.gz
bbdfe67d9d41f2526591d0cbf101dfcb 11584 java optional
libowasp-esapi-java_2.4.0.0-1.debian.tar.xz
daa024eb87c5d96120e5e59d64649949 14190 java optional
libowasp-esapi-java_2.4.0.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmJr7LNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkh0QP/AloCKL9x8zN1UwiOlvRSGf0kEGfx4bZq7oH
Z/kqLT5uG1nG90s6th5nDql5XbbuIwM72TzTJlodaNMhWZ4N4UMuQhDkfCoz/v8/
IncoQXsydwfN93UxljeZtT6dNxWr2rla8Fw/bzR/CNjhSSz9E2LpupzFvP1YT8ar
I685TeOa5NsdQAYrZG3qLdsV6jmCCuxrFKMp8Gn8bBXVcz6m+XbtF8P23GyDpdmk
p0k2LHoY8/XBvjZfYkhxyavAj1aua/a5oBpbc96IDUeLtSbqYxVK3H7uP7X4fSFX
EYh69Jvlcc6fkVxQ/dN14MCvdsw3MtmvGatn9r7ls+Z8MQXUd9nRgW+Of1SSFK8j
j0ju+b2S0/qtYaApg52ap8XIIypPt6WsOROeNCKtrzWORConYuXeUbZDWg661AUJ
MLuJ1BNXAIIHIpsjwKCDmBsAOMPbMufU4QJf4FeHhIMc75ts8R8yMBQRbO1UdnBb
yGaV13t+afXquYoE50tJqGVzdD8UOLtIoiSu21o/Ed82OPRE4v8YJaRZ5qVnjphm
TwZD3oJAoidPxDGRW3y+1JYNpx/iwo78w+XbC4oYwggOLHZXp8W4OPz3Kp7g/TIp
vnNm3xhS/ujIB+4ZsUnq6nupU3LcgHnBnU0fNXFvcT6IwS8qto+p7ta8Jf7MnF1E
DrfPwJsL
=yfcx
-----END PGP SIGNATURE-----
--- End Message ---
