Your message dated Sat, 30 Aug 2025 18:17:22 +0000
with message-id <[email protected]>
and subject line Bug#1111589: fixed in shaarli 0.12.1+dfsg-8+deb12u1
has caused the Debian Bug report #1111589,
regarding shaarli: CVE-2025-55291
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111589: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111589
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: shaarli
Version: 0.14.0+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for shaarli.
CVE-2025-55291[0]:
| Shaarli is a minimalist bookmark manager and link sharing service.
| Prior to 0.15.0, the input string in the cloud tag page is not
| properly sanitized. This allows the </title> tag to be prematurely
| closed, leading to a reflected Cross-Site Scripting (XSS)
| vulnerability. This vulnerability is fixed in 0.15.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-55291
https://www.cve.org/CVERecord?id=CVE-2025-55291
[1] https://github.com/shaarli/Shaarli/security/advisories/GHSA-7w7w-pw4j-265h
[2]
https://github.com/shaarli/Shaarli/commit/66faa61335a6e72184be64092ff1242ffa4fe5b6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: shaarli
Source-Version: 0.12.1+dfsg-8+deb12u1
Done: James Valleroy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shaarli, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Valleroy <[email protected]> (supplier of updated shaarli package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Aug 2025 09:48:22 -0400
Source: shaarli
Architecture: source
Version: 0.12.1+dfsg-8+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: James Valleroy <[email protected]>
Closes: 1111589
Changes:
shaarli (0.12.1+dfsg-8+deb12u1) bookworm; urgency=medium
.
* Add patch to fix CVE-2025-55291 (Closes: #1111589)
Checksums-Sha1:
c823849a6ba83ac1e945e5dccac46ccbfcd21e86 2610 shaarli_0.12.1+dfsg-8+deb12u1.dsc
113e3945beeaf4e6d957d202939228abfcc742e2 25980
shaarli_0.12.1+dfsg-8+deb12u1.debian.tar.xz
06ceb0f4b38ee3bce69af7fc9b00c9241ee949e5 23794
shaarli_0.12.1+dfsg-8+deb12u1_amd64.buildinfo
Checksums-Sha256:
336782711197a8bac8f49825b94f8e4d3bad8086436a41c7a426d702117ae8c6 2610
shaarli_0.12.1+dfsg-8+deb12u1.dsc
80cfcc91a4c8344eb66843970a588428a6418a4d83683797eed5e3cf5377cbcc 25980
shaarli_0.12.1+dfsg-8+deb12u1.debian.tar.xz
40095697813ddfdb1cb3926c3244edd4b49247182cf0f3c0c497cd852d8844d9 23794
shaarli_0.12.1+dfsg-8+deb12u1_amd64.buildinfo
Files:
6eccfd4bc54bff99ed6e0bb68c5a2493 2610 web optional
shaarli_0.12.1+dfsg-8+deb12u1.dsc
1ae05dca0532374cc94c6325d18d1bdf 25980 web optional
shaarli_0.12.1+dfsg-8+deb12u1.debian.tar.xz
c0b4b00b17988e8349746dc348da86d1 23794 web optional
shaarli_0.12.1+dfsg-8+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEfWrbdQ+RCFWJSEvmd8DHXntlCAgFAmizJVsWHGp2YWxsZXJv
eUBtYWlsYm94Lm9yZwAKCRB3wMdee2UICKi5D/9esLmsWXLYVfom/Kte7TDfL1up
RI5XhhBxlcTsMCQNj5ahyAAcdr+SyvYgQiWbWa57oRudRl8S82EWHIQbyjyOSAa3
kiFEuoijDhyTIaK5byt5++xUdCZ2w78ZhxlU5YwUOJcI0BMYAQLn+p+FiOOJWkiH
2VlFOBiUKzastLIkwh2qc/kPy+21k2Wl90L2AB1Xec7wgMtdg46tXMWxbl677ZVS
q5qkoKkCwbfOkTizM1GmctpEDHoalC8pMgY6dqBd5l37D0oxfPW4lUxqE5bKzGn8
LTBNHEZBPKlUQ/sbF4iGbmVQVJXslaPpQbr01cTS4vdHsfoOmLCPV+73XuZ8pF5/
HGs5H94+q8rVcyU+1kqGDBmLK4zODiYLzZbZePAvOhQTaBIdnaFVAdar4aMlBPeX
FzBRcDZ6veUIo5o+00suHyRdLjPdyhUQwyQnbyLU28D6bFH7jcg9Z1zeQUny8Vz6
5x0ZBPNj2lMGkaCt/evH51301eYBi4yjxeaimohMjrYScEECV1Og5qbf1CM58H3D
b5pss97L/Q2qAe5ijf5tmNrvcWZoGaf0WpzA/lR9WTnrle4h20RgngrAB2Z89Fc5
ljFnwZflOprLNegdYXWJckDaKqsabCq71TxgFpT/5ttIl7RbU1tTNQYRdljV5E9Z
vdZ2OF+a1UQRdHitWg==
=Aaan
-----END PGP SIGNATURE-----
pgpVGrIdlDe1R.pgp
Description: PGP signature
--- End Message ---
