Your message dated Mon, 03 Feb 2025 17:12:37 +0000
with message-id <[email protected]>
and subject line Bug#1084986: fixed in xhtml2pdf 0.2.16+dfsg-1
has caused the Debian Bug report #1084986,
regarding xhtml2pdf: CVE-2024-25885
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1084986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084986
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xhtml2pdf
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for xhtml2pdf.
CVE-2024-25885[0]:
| An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13
| allows attackers to cause a Regular expression Denial of Service
| (ReDOS) via supplying a crafted string.
This apparently hasn't been forwarded upstream yet:
https://gist.github.com/salvatore-abello/c88dd0027496774023ef36c7b576d206
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-25885
https://www.cve.org/CVERecord?id=CVE-2024-25885
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: xhtml2pdf
Source-Version: 0.2.16+dfsg-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xhtml2pdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated xhtml2pdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 03 Feb 2025 16:39:02 +0000
Source: xhtml2pdf
Architecture: source
Version: 0.2.16+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1084986
Changes:
xhtml2pdf (0.2.16+dfsg-1) unstable; urgency=medium
.
* Team upload.
* New upstream release.
* CVE-2024-25885: Fix reDOS CVE in getColor function (closes: #1084986).
Checksums-Sha1:
769374a403138dfbdc360ee4867e821da7570981 2513 xhtml2pdf_0.2.16+dfsg-1.dsc
e0bcfbb1f450380337a5ddef8d1288498858fbb9 1494692
xhtml2pdf_0.2.16+dfsg.orig.tar.xz
ca1b9623eb43a2fe28deaf26c0e09cbe7dd76191 9636
xhtml2pdf_0.2.16+dfsg-1.debian.tar.xz
Checksums-Sha256:
11527f0b5898955935232cc2ad71ca5f278ae6c2538b40198d8ae73fb67dfbf0 2513
xhtml2pdf_0.2.16+dfsg-1.dsc
99d79d3af38b0170b5b1ae09026979f3a555ae8952f5d299ee2f944202b8f42c 1494692
xhtml2pdf_0.2.16+dfsg.orig.tar.xz
0cc38e4d11cf1da159abd929a63ee7b9b8bff1cd070f8ab054029ed03e433d7c 9636
xhtml2pdf_0.2.16+dfsg-1.debian.tar.xz
Files:
c550c3a7ac23452e534040ffde083efa 2513 python optional
xhtml2pdf_0.2.16+dfsg-1.dsc
ee66b08223ed80e4b88d2c1f4c58439c 1494692 python optional
xhtml2pdf_0.2.16+dfsg.orig.tar.xz
d6fba8b69c34e3977ea247291d42fb2c 9636 python optional
xhtml2pdf_0.2.16+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmeg8f8ACgkQOTWH2X2G
UAskKBAAnyC+O1E+10SPB+h3I8DOLeFqDxEwrYAauGEo4ADFYahMqL9GZiEmxgn8
/gdi6I+VCybZgYSmshY+WwxwIu2ZMb5xAG0MmpnXODqjPXGDodCcfAUYoyNPfL35
wXP8YorlzACUlCL6PFiuoL9eXh3TvHPiJBcd1E2kGZ4JkQ+FWjXrVJg6vhGfBtz8
WDTZdES2gNsLdyU9GPjShMv0KX8Kea0rjX4JvwA0c8KFqMp7MIQ7Nyc4hXIzy0Wh
x4VQse57b2AyVlxGXOi0EKpoex2B5f1WbMdoiqHwfHZ4IGh0qL95c+8reVQY7VLH
KjZz4qrqF1QJniPVNko18HtV3Xa6RsSkC+X2JefEalQXmVWxO0jnyRVvWhJre6Qb
Q9vcBk8vAUxeCus1tIYLDjDL3GUewfOIkJ/PipkKTUxxOrWH/DZGNN6Z91EmUeE/
a6xI2MET7AyOwDaTY7yeqbv4rNqELsiL0htVX8jL9nuQrcwo8VIXe1Sdsso5estv
KjfMgSYhUAQ0C11lXNPfB4bQjzjp90wdJoc+fSofF+yuZM6hAxSHMV3dDz9/sNyf
Y2PR2iQRkTAKchLT48JZztD9KwodRd7qqUW9pqrE77Jix9AkGb81wuE5iUjjV5ek
JfG3mO+EZ6ybg86su+/GCW499Pn2k3BZczmsTy/r3npFce17hrY=
=STGM
-----END PGP SIGNATURE-----
pgp29BYWETlfb.pgp
Description: PGP signature
--- End Message ---
