Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
19b4fe9a by Adrian Bunk at 2022-05-22T16:03:36+03:00
php-dompdf: Even unstable has a version before CVE-2022-28368 was introduced
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -7926,13 +7926,14 @@ CVE-2022-28370
CVE-2022-28369
RESERVED
CVE-2022-28368 (Dompdf 1.2.1 allows remote code execution via a .php file in
the src:u ...)
- - php-dompdf <unfixed> (bug #1010090)
- [stretch] - php-dompdf <not-affected> (Vulnerable code not present)
+ - php-dompdf <not-affected> (Vulnerable code introduced in 0.8.0, fixed
in 1.2.1)
NOTE: https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/
NOTE: https://positive.security/blog/dompdf-rce
NOTE: https://github.com/dompdf/dompdf/issues/2598
NOTE: https://github.com/dompdf/dompdf/pull/2808
NOTE:
https://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141d
(v1.2.1)
+ NOTE: Vulnerability introduced by:
+ NOTE:
https://github.com/dompdf/dompdf/commit/0e0261b7bce372b3a05b712a023f6f742a22d57e
(v0.8.0)
CVE-2022-28367 (OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling
on STYLE ...)
- libowasp-antisamy-java <unfixed> (bug #1010154)
NOTE:
https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae
(v1.6.6)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19b4fe9ac2ffd4bc26a510e041a9a8abd56372f6
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19b4fe9ac2ffd4bc26a510e041a9a8abd56372f6
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
