On Wed, 04 Aug 2021 19:38:00 +0200 Salvatore Bonaccorso <car...@debian.org> wrote: > > The following vulnerability was published for prototypejs. > > CVE-2020-27511[0]: > | An issue was discovered in the stripTags and unescapeHTML components > | in Prototype 1.7.3 where an attacker can cause a Regular Expression > | Denial of Service (ReDOS) through stripping crafted HTML tags.
(The CVE mentions a newer version but vulnerable code exists in older versions too.) The Debian package has been orphaned and upstream has not seen any changes on the master branch since April 2017. (Last upload of a new upstream release to Debian was in 2013.) Nevertheless, there is a pull request which claims to address the problem in strip_tags, opened in Jan 2021: https://github.com/prototypejs/prototype/pull/349 > Basically this bug is just to track the issue downstream for us in > Debian. Though upstream's last release was several years ago in 2015, > so I wonder if post-bullseye release this bug severity should be > raised to RC. > > There are many (build)-rdeps on it so this cannot simply be removed > from the archive. CC'ing the Javascript team in case someone there can take over the package, possibly upstream as well as in Debian. libjs-prototype Reverse Depends: libjs-flotr wims citadel-webcit chromium-tt-rss-notifier smokeping libjs-scriptaculous rabbit libjs-protoaculous php-horde-core mobyle libjs-jstorage libhtml-prototype-perl libembperl-perl libaws18-dev jsxgraph gnat-gps-common gerbera gbrowse fusiondirectory darktable > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-27511 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27511 > [1] > https://github.com/yetingli/PoCs/blob/main/CVE-2020-27511/Prototype.md > > Regards, > Salvatore > > -- Neil Williams ============= https://linux.codehelp.co.uk/
pgpcW62ENBm0_.pgp
Description: OpenPGP digital signature