Source: jsoup Version: 1.15.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for jsoup. CVE-2022-36033[0]: | jsoup is a Java HTML parser, built for HTML editing, cleaning, | scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly | sanitize HTML including `javascript:` URL expressions, which could | allow XSS attacks when a reader subsequently clicks that link. If the | non-default `SafeList.preserveRelativeLinks` option is enabled, HTML | including `javascript:` URLs that have been crafted with control | characters will not be sanitized. If the site that this HTML is | published on does not set a Content Security Policy, an XSS attack is | then possible. This issue is patched in jsoup 1.15.3. Users should | upgrade to this version. Additionally, as the unsanitized input may | have been persisted, old content should be cleaned again using the | updated version. To remediate this issue without immediately | upgrading: - disable `SafeList.preserveRelativeLinks`, which will | rewrite input URLs as absolute URLs - ensure an appropriate [Content | Security Policy](https://developer.mozilla.org/en- | US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of | upgrading, as a defence-in-depth best practice.) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-36033 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36033 [1] https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369 [2] https://github.com/jhy/jsoup/commit/4ea768d96b3d232e63edef9594766d44597b3882 Please adjust the affected versions in the BTS as needed. Regards, Salvatore