Your message dated Sat, 30 Aug 2025 15:47:09 +0000
with message-id <[email protected]>
and subject line Bug#1111589: fixed in shaarli 0.14.0+dfsg-2
has caused the Debian Bug report #1111589,
regarding shaarli: CVE-2025-55291
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111589: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111589
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: shaarli
Version: 0.14.0+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for shaarli.
CVE-2025-55291[0]:
| Shaarli is a minimalist bookmark manager and link sharing service.
| Prior to 0.15.0, the input string in the cloud tag page is not
| properly sanitized. This allows the </title> tag to be prematurely
| closed, leading to a reflected Cross-Site Scripting (XSS)
| vulnerability. This vulnerability is fixed in 0.15.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-55291
https://www.cve.org/CVERecord?id=CVE-2025-55291
[1] https://github.com/shaarli/Shaarli/security/advisories/GHSA-7w7w-pw4j-265h
[2]
https://github.com/shaarli/Shaarli/commit/66faa61335a6e72184be64092ff1242ffa4fe5b6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: shaarli
Source-Version: 0.14.0+dfsg-2
Done: James Valleroy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shaarli, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Valleroy <[email protected]> (supplier of updated shaarli package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Aug 2025 07:45:06 -0400
Source: shaarli
Architecture: source
Version: 0.14.0+dfsg-2
Distribution: trixie
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: James Valleroy <[email protected]>
Closes: 1111589
Changes:
shaarli (0.14.0+dfsg-2) trixie; urgency=medium
.
* Add patch to fix CVE-2025-55291 (Closes: #1111589)
Checksums-Sha1:
fc0e22999962de20a5028e36d082c270ae20afb8 2656 shaarli_0.14.0+dfsg-2.dsc
78b9abaa44657e1fb32d40c9f1823725ee01bdc1 31568
shaarli_0.14.0+dfsg-2.debian.tar.xz
a1e25d98814d76d478f5034b99494aad639573f3 23855
shaarli_0.14.0+dfsg-2_amd64.buildinfo
Checksums-Sha256:
ef97cedc9029f0cf43282a214b83bba2d1601627e7b0486c82bdc923de08c609 2656
shaarli_0.14.0+dfsg-2.dsc
d8859abe30001d46c6a0616587d21a446a6f1c5025fac3361730be1e5096794b 31568
shaarli_0.14.0+dfsg-2.debian.tar.xz
ca04e0434614f8f9cbb2ffd13f0fc19f60cd7aa1406b4217c80087bdf9a8de3e 23855
shaarli_0.14.0+dfsg-2_amd64.buildinfo
Files:
d9ec16daafc6decb3cea688d01f7f11a 2656 web optional shaarli_0.14.0+dfsg-2.dsc
f41ff4233dbe8d69823547c79faf010c 31568 web optional
shaarli_0.14.0+dfsg-2.debian.tar.xz
4c78240e4bc7b718668b8f8f01fa505c 23855 web optional
shaarli_0.14.0+dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEfWrbdQ+RCFWJSEvmd8DHXntlCAgFAmiy534WHGp2YWxsZXJv
eUBtYWlsYm94Lm9yZwAKCRB3wMdee2UICL24EACQtsj2Wm7GHGSCf4Dpiehjvrvh
xDNlWQ8ln/YA8wAU5YQsrq8D1I2zXU8gE5XJBd0xZdrq/tc8PYYgo8zWyDpY2JxE
b2dBvzdOwEOtRT81I6edhubmM6Z5YZ+VgmuPYWnJsIeDD3foTo/Pq8hQUp3eVcDj
g0qZlwbXZahD+HiQCaq8XEHsjVR6ugIOQMr62HFGo9kVbzOaOG10tYM3TG4BT2F+
K01FuCcwVCyt9sXVkAK7tguPQWdRANz2ljIJVtSw7hkXsdJUWbSGduaR2bnYHs8V
SoQKHZAiJVW4w3pbbYEH9Y6cXswmT09HOQL+Lvcn/EyZLD3vRwZaZ1khWnXgPY2S
8ZW7WFJZRmu/1lilDsaDWg4iYbAN9jJoRgwHL9lfH0m6wvnAGLjpZu+0HbHoUNX1
1FKuOAl4p0tKFJkNmS1MCdCoqW+E1m9ueds8Bb3Og8W10z8ZmGkrv7fYJTOFyKYO
OWrsp2Lc+Gy8WOunemvUmTYnD1SahCdVqHycleokeHS/BODZDH3rIqdrQpgiY+Vh
ehyvv1SBDJR5q2cq5l96+Yz4BH8T8hLGPIEyTEZk5+m8SmXl4xZAD3PeYDOwm/Tg
Uh1mfp8SFIcdR/hKCA6VaaeUGY1YwlDFxGC3GAx0d5K+s4NEBrICiM3fOozHW1Zf
uZc9hFBgzQ/qvbd3DA==
=ztaY
-----END PGP SIGNATURE-----
pgphkXWVydYZ4.pgp
Description: PGP signature
--- End Message ---
