Your message dated Thu, 09 Sep 2021 11:48:48 +0000
with message-id <[email protected]>
and subject line Bug#992590: fixed in jsoup 1.14.2-1
has caused the Debian Bug report #992590,
regarding jsoup: CVE-2021-37714
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
992590: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992590
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jsoup
Version: 1.10.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for jsoup.
CVE-2021-37714[0]:
| jsoup is a Java library for working with HTML. Those using jsoup
| versions prior to 1.14.2 to parse untrusted HTML or XML may be
| vulnerable to DOS attacks. If the parser is run on user supplied
| input, an attacker may supply content that causes the parser to get
| stuck (loop indefinitely until cancelled), to complete more slowly
| than usual, or to throw an unexpected exception. This effect may
| support a denial of service attack. The issue is patched in version
| 1.14.2. There are a few available workarounds. Users may rate limit
| input parsing, limit the size of inputs based on system resources,
| and/or implement thread watchdogs to cap and timeout parse runtimes.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-37714
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37714
[1] https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jsoup
Source-Version: 1.14.2-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jsoup, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated jsoup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 09 Sep 2021 13:30:36 +0200
Source: jsoup
Architecture: source
Version: 1.14.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 992590
Changes:
jsoup (1.14.2-1) unstable; urgency=medium
.
* Team upload.
* Upload to unstable.
* New upstream version 1.14.2.
- Fix CVE-2021-37714:
If the parser is run on user supplied input, an attacker may supply
content that causes the parser to get stuck (loop indefinitely until
cancelled), to complete more slowly than usual, or to throw an unexpected
exception. This effect may support a denial of service attack.
(Closes: #992590)
* Declare compliance with Debian Policy 4.6.0.
Checksums-Sha1:
c9af64ecf692950dc1fe3e4f062ab544122bff7c 2361 jsoup_1.14.2-1.dsc
4247acea8c8805c5ac538fed833aa50dc971e344 429008 jsoup_1.14.2.orig.tar.xz
2393aa198212aac6e8f5d6e50ea51051405b2e36 5200 jsoup_1.14.2-1.debian.tar.xz
fe76804ea444165bc2f8cc471e77a7647f431026 13533 jsoup_1.14.2-1_amd64.buildinfo
Checksums-Sha256:
ca3a557fbbc75149ee4abbd9ce416dcd542a5fb849c39a422d2cf2a833c4e130 2361
jsoup_1.14.2-1.dsc
03b63c14159f5c6c3113c0774b3ebc7127ba126ec07e338784a0cfbc13b2c0cc 429008
jsoup_1.14.2.orig.tar.xz
9b9996318088372f8db550b4766c7e6e055b1af2cc02b24a60293025aa2ffb36 5200
jsoup_1.14.2-1.debian.tar.xz
4c0fa2e4143993911214e6e9c5d00a49cb64d848e14885dd5b4be6011a8e11d0 13533
jsoup_1.14.2-1_amd64.buildinfo
Files:
e35a781744a3a936ff394ffdf3479829 2361 java optional jsoup_1.14.2-1.dsc
ae0eabf4dc3fdcd29505a137b0f3f2d5 429008 java optional jsoup_1.14.2.orig.tar.xz
7249049c7fee8c2899c8056dffdace61 5200 java optional
jsoup_1.14.2-1.debian.tar.xz
ba9560e21175db58b2d4f4a932daea32 13533 java optional
jsoup_1.14.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmE58M1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkiUMP/1sjEb9lThYlIpOV9SAQQuzNz+zkaEBSK8Vh
s6GHNlWYUhGE9Ro3v/zIWChedXbx3lI9qoejajFE94sarVHVza0SVM6AwxUq8Wdh
y/cSGe1GSm92gEHOWZ5CBb5XaTk5i9jt7TFRwKQ7ZQrZOiFw95GJbeBc4+IM16pF
mFAGjjf0M9ZPt8aI4EY4dKjeR6iBBwbEgy60aDoc45HWy6znQUY/dGtf9p9LXNqA
kD/9FDVKK02xUnGKboWZh6ZB8Ce+NW4edMSiD/WHpgiSaQuo2UP7NtfZfMnDw0q0
uAjCjXivDgge/+dNfyE6SByodesyD5BSBTtOm1k0R3BTACrU8nvZ0UKc7poTjf0h
OslB/gLeCXx253XpP61W/NkyYYvh1Lj/81f6idQj7MyknR3a3CpLDqf2LAgTGBzI
ilhT6AIuKdFU1XAGP000H+4UX+FujAXL6mogwdmHWZKS9rghyAT74WkhW14AFfnq
11242VKgneEoKuMgRewPD6goOkKqPOA7QBUkm2DgU6ux6kZGTEduC96a9lrvm8vQ
Khj2zgLv+A1OQgDYD/zs78nfcGSfCLgGcPufCWpLWnnbLbExcBkTWSz9DD94unal
3lxU33hMDlZ/nEFtvWQg79hlhLi8z/nhlnMPPLgKJJz+YtsPnxHnJmPpp01o/BZc
o4wfcE6y
=mQXF
-----END PGP SIGNATURE-----
--- End Message ---
