Your message dated Fri, 02 Sep 2022 23:34:02 +0000
with message-id <[email protected]>
and subject line Bug#1018931: fixed in jsoup 1.15.3-1
has caused the Debian Bug report #1018931,
regarding jsoup: CVE-2022-36033: The jsoup cleaner may incorrectly sanitize
crafted XSS attempts if SafeList.preserveRelativeLinks is enabled
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1018931: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018931
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jsoup
Version: 1.15.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for jsoup.
CVE-2022-36033[0]:
| jsoup is a Java HTML parser, built for HTML editing, cleaning,
| scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly
| sanitize HTML including `javascript:` URL expressions, which could
| allow XSS attacks when a reader subsequently clicks that link. If the
| non-default `SafeList.preserveRelativeLinks` option is enabled, HTML
| including `javascript:` URLs that have been crafted with control
| characters will not be sanitized. If the site that this HTML is
| published on does not set a Content Security Policy, an XSS attack is
| then possible. This issue is patched in jsoup 1.15.3. Users should
| upgrade to this version. Additionally, as the unsanitized input may
| have been persisted, old content should be cleaned again using the
| updated version. To remediate this issue without immediately
| upgrading: - disable `SafeList.preserveRelativeLinks`, which will
| rewrite input URLs as absolute URLs - ensure an appropriate [Content
| Security Policy](https://developer.mozilla.org/en-
| US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of
| upgrading, as a defence-in-depth best practice.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-36033
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36033
[1] https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
[2] https://github.com/jhy/jsoup/commit/4ea768d96b3d232e63edef9594766d44597b3882
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jsoup
Source-Version: 1.15.3-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jsoup, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated jsoup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 03 Sep 2022 01:03:14 +0200
Source: jsoup
Architecture: source
Version: 1.15.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1018931
Changes:
jsoup (1.15.3-1) unstable; urgency=high
.
* Team upload.
* New upstream version 1.15.3.
- Fix CVE-2022-36033:
Jsoup may incorrectly sanitize HTML including Javascript which could
allow XSS attacks. (Closes: #1018931)
Thanks to Salvatore Bonaccorso for the report.
Checksums-Sha1:
95e1061f474df848fedd691078142c25ffd4db56 2361 jsoup_1.15.3-1.dsc
aca928522acdac30598ef756317eed47758566c0 465348 jsoup_1.15.3.orig.tar.xz
a951d9c0b2e3df307eace80a1db87cd3c4f15398 5356 jsoup_1.15.3-1.debian.tar.xz
e9998d49d20153e81f453a0615eb77413cec3259 14311 jsoup_1.15.3-1_amd64.buildinfo
Checksums-Sha256:
eb6b2a176fe9df0553c580e33e798cfa8e4664b8fd855881bd719682f08c742f 2361
jsoup_1.15.3-1.dsc
052511f0be47511f9b2a17d44fc1eccc4b5373e77cc5a3221e34b6af437e1e2e 465348
jsoup_1.15.3.orig.tar.xz
2cbf6226cc80f0160981f097b0a8d45d87ef4a15a028abf4cf10e695df9a0984 5356
jsoup_1.15.3-1.debian.tar.xz
b3aff9779a82732cf7eff09e72fa4f210b71a1806937d3892c4a4a850f6a8e50 14311
jsoup_1.15.3-1_amd64.buildinfo
Files:
75ebc2a2868879ef09be76ab97133623 2361 java optional jsoup_1.15.3-1.dsc
a4a75fc1e76f0994698a5303403f0bdf 465348 java optional jsoup_1.15.3.orig.tar.xz
1b27a05ce12357e4bc26a57803b40e60 5356 java optional
jsoup_1.15.3-1.debian.tar.xz
a835bd0d3e26ea4e877113a36d45cf85 14311 java optional
jsoup_1.15.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmMSjL5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HksdoP/1CtjGNqGi+BdRi/Ea6pK9oApqi3bhIZZWx3
9OlVCbN6JZxuL3C1I64Ggj272PBtJsRFukJZiXGoxn0CNKZ7zIBQweiv0wRZbxTV
Fox5dRmSybQ+EduXAJz7qt0py/7hgq6r6odYq6MH2r43NbCRdc0utclcTnXZV1Xy
3JzGRJy30i4yiuWIgeT5eZWyKcKD+zbP0yiNsBx24dWRmHuckwlZnLQGbLL5SSIn
8WiLLorGsQp/twWEE1h2p8ZBPHrzzA+MAV3d3ztseJlr8N1rYRXNtEiKxceAJT/j
+WotCkzM2o4MFA9Iy3bbdMen6/o6M8yM8st11lfqcSiocOtSXkCziqQdVilNATF4
+svaQzMuuYkRJnKC2fIYnZlKRNEFZEPa5NbxD3zLfhtwv7xZGqx/usvNAy4CZEgU
rpTpYPFbPnp+6IRGV5Dp3828etGlPEv1OhH97caOYu6GoKSf2z30sl2h/0kpx7+E
arkTE9ON5l3v3Q+Gi0iX0+9Uj65Q8FsdJeyuqKOD3WMqChH3JD2rsD5S4fly7LB3
e2iRNLx2FQm33MEFCXqIzFpM3dVoRtgAAfXv7qFzzZ+P0CENX5ZNxkwYYfn+ZjLF
smPATYixOaaYheLhW1HyRwS5VdUZdnKCj67XUqsoZ3+xw1nQqxHpyRuIzHSWjJvI
tbqKfQgT
=2XHV
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
