Your message dated Wed, 20 May 2026 15:04:06 +0000
with message-id <[email protected]>
and subject line Bug#1137160: fixed in libtemplate-perl 3.102-3
has caused the Debian Bug report #1137160,
regarding libtemplate-perl: CVE-2026-5090
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137160: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137160
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libtemplate-perl
Version: 3.102-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/abw/Template2/issues/327
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libtemplate-perl.
CVE-2026-5090[0]:
| Template::Plugin::HTML versions through 3.102 for Perl allows HTML
| and JavaScript to be injected. The html_filter function did not
| escape single quotes. HTML attributes inside of single quotes could
| be have code injected. For example, the variable "var" in <a
| id='ref' title='[% var | html %]'> would not be properly escaped.
| An attacker could insert some limited HTML and JavaScript, for
| example, var = " ' onclick='while (true) { alert(1) }'" Note
| that arbitrary HTML and JavaScript would be difficult to inject,
| because angle brackets, ampersands and double-quotes would still be
| escaped.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5090
https://www.cve.org/CVERecord?id=CVE-2026-5090
[1] https://lists.security.metacpan.org/cve-announce/msg/40218729/
[2] https://github.com/abw/Template2/issues/327
[3] https://github.com/cpan-authors/Template2/pull/337
[4]
https://github.com/cpan-authors/Template2/commit/11c78a7a771d4af505efeb754a0b8775689c2eae
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libtemplate-perl
Source-Version: 3.102-3
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libtemplate-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libtemplate-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 20 May 2026 16:44:18 +0200
Source: libtemplate-perl
Architecture: source
Version: 3.102-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1137160
Changes:
libtemplate-perl (3.102-3) unstable; urgency=medium
.
* Team upload.
* Add patch from upstream Git to escape single quotes in HTML filter.
Fixes CVE-2026-5090: allows HTML and JavaScript to be injected.
(Closes: #1137160)
Checksums-Sha1:
05340e7ad61c6cf293d2787288916e2a8eba7fdd 2527 libtemplate-perl_3.102-3.dsc
2c3e0883d9d27e9dbc48402e78cd8138ad1dd6e6 6252
libtemplate-perl_3.102-3.debian.tar.xz
6420d1bfa8981e8371fb43d4352ebcc8d27de73a 1255748
libtemplate-perl_3.102-3.git.tar.xz
9ff3147077e13a8402d6bbd0867c6763b5695d43 17384
libtemplate-perl_3.102-3_source.buildinfo
Checksums-Sha256:
eeeb01a94fc734e101439d9b830e0a725cb95761da209f9b8c4397cddc574c8a 2527
libtemplate-perl_3.102-3.dsc
e586bc5504b8167735683a750802098a9e51e930a48397bffc4bff05eb0aa788 6252
libtemplate-perl_3.102-3.debian.tar.xz
2ebf2f151bc2149010b6cd31116f3f7d09d2e20ab277b465a9d3bc663e39f9a0 1255748
libtemplate-perl_3.102-3.git.tar.xz
1f6d6ad0f84348ad3bf358cc254f8f9175b89754bbd014f5ab9d777812ef561e 17384
libtemplate-perl_3.102-3_source.buildinfo
Files:
b10c352d25d4a5d5bd26f8ce6e8e969c 2527 perl optional
libtemplate-perl_3.102-3.dsc
e3d7012b3384d0765e758ef44ae1a6ed 6252 perl optional
libtemplate-perl_3.102-3.debian.tar.xz
0bfacd30298c4c9ac18d001f68101369 1255748 perl None
libtemplate-perl_3.102-3.git.tar.xz
fd987ae936bd0a201989cdb15d75087e 17384 perl optional
libtemplate-perl_3.102-3_source.buildinfo
Git-Tag-Info: tag=e6d12d8b53ae5957a7de0865cbd3359b226a7475
fp=d1e1316e93a760a8104d85fabb3a68018649aa06
Git-Tag-Tagger: gregor herrmann <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmoNyhoACgkQYG0ITkaD
wHk1BRAAjk8ZOKAdZnzaGRD35b73VUoH268b3iWAqx3wBRFijifkDO4shyQP+2fD
grC9IDpW5AEx9r+l00iOhm/2NpLjQhfCnMposMu0gi//foQfk3sYxR3jDgjFEc+F
IJwMhq1vh9rYio36w9N5DKKveoXtU2IT4DoM5bNXyJpNlIkUlPNOJGCaWhpMWPP+
MS52dqxnnCrpWVHq3oSQ1+zFD25JcZ3TQYqwJz3JcYa+dPHfBB2th+VMaIywfDlb
0dmU2kZj2xIffuwL1ieuW5xR98/DysZve/6xZB+VGRiofht3efp2ME3Ni7R3Z1HT
JkLkgIMoh83x29Glqrq88aCyLyzmUoVBt88JYAygn5I/gQYvr05C6pFWrDbt18vM
khb5e+Y6T3eG3tzWbw7Lwahx79kGekBiZ82LkuRCB/aOCAU9cUqgjINVIHvbMSK2
I/JSaTEE9slfAcUAuK0N2vtxzus8EDFbt4NguEeE823Pooh5xk/knD+XzDBgwj8w
Z1Ojx1TNuKGdp6gBsaf3DrAWwx5GZ1a2NMGonk6rF3o2uehJgqluIPpY7xFmkEN8
gIhXkr0IYixQhfXc2oeNeLMVpY/7KI81G7wGcbKhOD4fWm9tqJCk2WYjgGMxgyY0
7tdOQB/OyZz3YS10iDAroGvo8Km/wbla2wdVenUVjvhi7GAZ2aE=
=SNYP
-----END PGP SIGNATURE-----
pgp7zJFyyQ9dF.pgp
Description: PGP signature
--- End Message ---
