Your message dated Sat, 31 Jan 2026 14:51:24 +0000
with message-id <[email protected]>
and subject line Bug#1126554: fixed in shaarli 0.16.1+dfsg-1
has caused the Debian Bug report #1126554,
regarding shaarli: CVE-2026-24476
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126554: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126554
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: shaarli
Version: 0.15.0+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for shaarli.
CVE-2026-24476[0]:
| Shaarli is a personal bookmarking service. Prior to version 0.16.0,
| crafting a malicious tag which starting with `"` prematurely ends
| the `<input>` tag on the start page and allows an attacker to add
| arbitrary html leading to a possible XSS attack. Version 0.16.0
| fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24476
https://www.cve.org/CVERecord?id=CVE-2026-24476
[1] https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg
[2]
https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: shaarli
Source-Version: 0.16.1+dfsg-1
Done: James Valleroy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shaarli, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Valleroy <[email protected]> (supplier of updated shaarli package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 31 Jan 2026 09:33:15 -0500
Source: shaarli
Architecture: source
Version: 0.16.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: James Valleroy <[email protected]>
Closes: 1048094 1116936 1126554
Changes:
shaarli (0.16.1+dfsg-1) unstable; urgency=medium
.
* Change debian branch name to debian/latest
* Update debian/watch to Version 5
* signing-key: Concatenate blocks, as instructed by uscan
* d/control: Remove options that are now default
* d/copyright: Update copyright year for debian/*
* d/clean: Clean up generated files (Closes: #1048094)
* d/postinst: Only enable apache mod rewrite if not already enabled
(Closes: #1116936)
* d/watch: Add Repacksuffix
* d/copyright: Drop jquery excluded file, no longer shipped upstream
* New upstream version 0.16.1+dfsg (Closes: #1126554, CVE-2026-24476)
Checksums-Sha1:
18a60e40d14e7be2856edea86b94bb135286f486 2656 shaarli_0.16.1+dfsg-1.dsc
d1c178df024e6f701bd2fefbfc89891dc4f5e362 897392 shaarli_0.16.1+dfsg.orig.tar.xz
d8a148cd31718475c97cab6ddfb1f356511a6485 31484
shaarli_0.16.1+dfsg-1.debian.tar.xz
be5868470fe865c0025ab4500d0ea8d1e695bb57 24650
shaarli_0.16.1+dfsg-1_amd64.buildinfo
Checksums-Sha256:
5502f55c8035ab0eb7d40463772b1e0f9d25544579e581fd780451148f1844e5 2656
shaarli_0.16.1+dfsg-1.dsc
bd7a2f206676bf875e39f656d67a6eab1d2680d7ad95f3ccf41bc83c6bdc2137 897392
shaarli_0.16.1+dfsg.orig.tar.xz
e73efc4ede40622ab85e2ab68fcc6624284933eeb84f0b7c4f51fbb17c83a52f 31484
shaarli_0.16.1+dfsg-1.debian.tar.xz
7693a84e40337411dc878d3271932e772b6a51511e64c840dba131d8fea2190d 24650
shaarli_0.16.1+dfsg-1_amd64.buildinfo
Files:
00b7c36c621e8a739e0d1dbfd5fe3322 2656 web optional shaarli_0.16.1+dfsg-1.dsc
20f4656d187f137634a04fc14e1c836a 897392 web optional
shaarli_0.16.1+dfsg.orig.tar.xz
7fd0c8d8dd8f7b0929c7166115cd2c92 31484 web optional
shaarli_0.16.1+dfsg-1.debian.tar.xz
f3f15f24d4e8ec585ef157e05cf9793f 24650 web optional
shaarli_0.16.1+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEfWrbdQ+RCFWJSEvmd8DHXntlCAgFAml+E74WHGp2YWxsZXJv
eUBtYWlsYm94Lm9yZwAKCRB3wMdee2UICOezD/9EQLwOLNd5nScYgWdmLrn87gGD
JID90phrTgHurlUbB37Fp5IyXtdjSf6MMkK71kJ8tSUJSJQ0ZAq7pJG+CdFOZok7
/504EHBDTBIphuOoNke0bIQCmUV7mntB3skGioMRWobGta8rGCg01WV9EYA6kvqK
Xnh+bcRq43Sg1vRuHZZSuldRFymRe0RHzyOIMhq+Caw6FaHNuL+XbuoZK7HdqbUT
KjkUP1vEvnWxmgCR1gD8TyhcfZLEcYS+P2hfrPGWxZEH+M4YKK8LkLrGe7NC3eCL
SdE54ZFMGq4/62DaCGF39kSIxsFVoo+Irnk7xLAFISsm/1GfTn999BGn84/iDsPl
4p/Ze1migMvE+YKJ1w/QsbWXmdrP9fTW07ppWCqOlSgBtgvncr6tWlrN+m+6BkvJ
yQw0qUNfS+x6cDIdcKstmwW5PZRvP+NWZNDwcYJ6cbw5FX0m7F6eqeZwXQTEeLso
81xcXSD3ePBnH0YHsYr4yHZcGs12hed1lMNqYk0EDJK4I8kI9scUB55lZz/XrrZe
PT9lejpKJUKAcQoO4KJ/iz35Iwx5hhToYEAGPqLyZJbw5lmSrgsPUz3Sewj25QI9
IGXs2cXoXyor3xn9XEmN6OP3gXPJzz8+vv1qBDH1Xv2stpAMeWAAZGy16bF/pDaN
EicwE+RF77cYHkxqiw==
=hqRR
-----END PGP SIGNATURE-----
pgpOiT5NidWH6.pgp
Description: PGP signature
--- End Message ---
