Bug#1021739: marked as done (nekohtml: CVE-2022-24839)

[Debian Bug Tracking System]

Your message dated Sun, 29 Jan 2023 09:54:09 +0000
with message-id <e1pm4o1-006rcm...@fasolo.debian.org>
and subject line Bug#1021739: fixed in nekohtml 1.9.22.noko2-0.1
has caused the Debian Bug report #1021739,
regarding nekohtml: CVE-2022-24839
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1021739: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021739
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: nekohtml
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for nekohtml.

CVE-2022-24839[0]:
| org.cyberneko.html is an html parser written in Java. The fork of
| `org.cyberneko.html` used by Nokogiri (Rubygem) raises a
| `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML
| markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note:
| The upstream library `org.cyberneko.html` is no longer maintained.
| Nokogiri uses its own fork of this library located at
| https://github.com/sparklemotion/nekohtml and this CVE applies only to
| that fork. Other forks of nekohtml may have a similar vulnerability.

https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-24839
    https://www.cve.org/CVERecord?id=CVE-2022-24839

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: nekohtml
Source-Version: 1.9.22.noko2-0.1
Done: David Prévot <taf...@debian.org>

We believe that the bug you reported is fixed in the latest version of
nekohtml, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1021...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated nekohtml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 28 Jan 2023 20:01:30 +0100
Source: nekohtml
Architecture: source
Version: 1.9.22.noko2-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: David Prévot <taf...@debian.org>
Closes: 1021739
Changes:
 nekohtml (1.9.22.noko2-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Update sources repositories
   * New upstream version 1.9.22.noko2 (Closes: #1021739) [CVE-2022-24839]
   * Refresh patch
Checksums-Sha1:
 41f9725edd9092f21ab9d0f1f9cec179fa1c25f6 1821 nekohtml_1.9.22.noko2-0.1.dsc
 0233f0b6c47110a9fce10060de6ff793f3e09026 117888 
nekohtml_1.9.22.noko2.orig.tar.xz
 e1ed37bb79238d43ef371b911af8bcca74782c8c 4208 
nekohtml_1.9.22.noko2-0.1.debian.tar.xz
 095b8b4de708b2f580deee5ba4b9c9d80eaef560 9429 
nekohtml_1.9.22.noko2-0.1_amd64.buildinfo
Checksums-Sha256:
 f59194032a08932deaa23fd157857ef086d1c92e19bdd551228faab3115b81cd 1821 
nekohtml_1.9.22.noko2-0.1.dsc
 6ef594897e00b1ddbc63eedfb00caa62423eacc90f8571890c4b733fc3b862ab 117888 
nekohtml_1.9.22.noko2.orig.tar.xz
 1a685b92f3428cb636e90331ff75a59698ccef002ca358686a36a3bcf23ed847 4208 
nekohtml_1.9.22.noko2-0.1.debian.tar.xz
 6afa445470faa50ab02b05bbdc5013b883c11ddbceffd349bc0cd942f12d1ad8 9429 
nekohtml_1.9.22.noko2-0.1_amd64.buildinfo
Files:
 d6ac154feb780033d305103c0c371b07 1821 java optional 
nekohtml_1.9.22.noko2-0.1.dsc
 768de89acd0aca045f29ccb8aab8e4aa 117888 java optional 
nekohtml_1.9.22.noko2.orig.tar.xz
 5f2643dd45bf1175d13ce11b8094af2e 4208 java optional 
nekohtml_1.9.22.noko2-0.1.debian.tar.xz
 a7b232ca9d8930dd396b089a2a2aa6ef 9429 java optional 
nekohtml_1.9.22.noko2-0.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmPWP98SHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08S2gH/A019BQdllYT1GPURLhHFWBt8sFbQL55
5WHwV1K6il7oXJ/gdPR9r4732VpC4G7cFNoicnjViHlzIgrumN6gIMud3O5V+Oo2
EuNtcxkIWexPn68yTq349TjhkrFkaWTS+kS11/5MgUNYZtzLTFqPJEY3gc/1hF7a
6e+quw/xapW+S4KxKCPRQKKMGA2Ao0yZbP0WX0vuEFDtQTcaoL2BhX9PsgjtMOce
d2LLNt1aAb52MDvhYIr6e3qH3cZ8b2y1KDRnA/X/xN3r/BnMC4CL3o2DslDTRTgM
U/lBic9REKb9yBeGdmau8kcI/0B112YvRIH0ay+4S5DZ18RIuOcg0DA=
=3hjf
-----END PGP SIGNATURE-----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.