Your message dated Sun, 03 Dec 2023 11:12:26 +0000 with message-id <e1r9kog-007cxe...@fasolo.debian.org> and subject line Bug#1054164: fixed in libowasp-antisamy-java 1.7.4-1 has caused the Debian Bug report #1054164, regarding libowasp-antisamy-java: CVE-2023-43643 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054164: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054164 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libowasp-antisamy-java Version: 1.5.3+dfsg-1.1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for libowasp-antisamy-java. Note: The severity is set to RC, though 'important' would better fit. It looks that in each supported version in Debian we are still at 1.5.3. Is the library still maintained within Debian? CVE-2023-43643[0]: | AntiSamy is a library for performing fast, configurable cleansing of | HTML coming from untrusted sources. Prior to version 1.7.4, there is | a potential for a mutation XSS (mXSS) vulnerability in AntiSamy | caused by flawed parsing of the HTML being sanitized. To be subject | to this vulnerability the `preserveComments` directive must be | enabled in your policy file and also allow for certain tags at the | same time. As a result, certain crafty inputs can result in elements | in comment tags being interpreted as executable when using | AntiSamy's sanitized output. This issue has been patched in AntiSamy | 1.7.4 and later. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-43643 https://www.cve.org/CVERecord?id=CVE-2023-43643 [1] https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2 [2] https://github.com/nahsra/antisamy/commit/05c52b98bb845b8175b8406bd2f391ce334a05d6 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libowasp-antisamy-java Source-Version: 1.7.4-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of libowasp-antisamy-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libowasp-antisamy-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 03 Dec 2023 11:32:40 +0100 Source: libowasp-antisamy-java Architecture: source Version: 1.7.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 800986 1010154 1014981 1054164 Changes: libowasp-antisamy-java (1.7.4-1) unstable; urgency=medium . * Team upload. * New upstream version 1.7.4. - Fix CVE-2023-43643, CVE-2022-28367, CVE-2022-28366, CVE-2021-35043, CVE-2017-14735, CVE-2016-10006. (Closes: #1054164, #1010154, #1014981) - Drop obsolete libcommons-httpclient-java library from Build-Depends. (Closes: #800986) * Switch to dh-sequencer and debhelper-compat = 13. * Declare compliance with Debian Policy 4.6.2. * Build-depend on libfindbugs-annotations-java, libhttpclient5-java and libhttpcore5-java. * Add neko-htmlunit.patch, so that we don't have to package the new neko-htmlunit fork. * Override lintian error source is missing because those files are only needed for the tests. * Drop binary package libowasp-antisamy-java-doc. Checksums-Sha1: 6b4684142870f52334f9ecb46687050481ae3ea7 2357 libowasp-antisamy-java_1.7.4-1.dsc 3e958ea3443e817471343560585da6e7decb50a0 3982916 libowasp-antisamy-java_1.7.4.orig.tar.gz 3639139ed828453cc8284f9ffaf8675b0ff2b931 4508 libowasp-antisamy-java_1.7.4-1.debian.tar.xz acb19ce0850da43698d20900260b758056dc4c4a 14355 libowasp-antisamy-java_1.7.4-1_amd64.buildinfo Checksums-Sha256: ddf6b481e1afbf6bb873f67fce5d8a33375cb8f4ca972ddfe1eeec14eb552bc0 2357 libowasp-antisamy-java_1.7.4-1.dsc 4742a244adcb679e34443534d954f5a10ecfbd10776438157ab276908a1391fe 3982916 libowasp-antisamy-java_1.7.4.orig.tar.gz fbfbfc983330e27a39b8c0e9c690c0bbbd163e94698cef3c1df64380500cb557 4508 libowasp-antisamy-java_1.7.4-1.debian.tar.xz 3ce85384c9186909ab0e7df54f9f859a34a5db85d669f909be55619a2a21b523 14355 libowasp-antisamy-java_1.7.4-1_amd64.buildinfo Files: 2a3fa6405e95c2edcfd7b1c53505edd4 2357 java optional libowasp-antisamy-java_1.7.4-1.dsc 2e3dcb7134a6cbedc001733d5a94de41 3982916 java optional libowasp-antisamy-java_1.7.4.orig.tar.gz 7b30a1b6684e3d868937a9b80277264b 4508 java optional libowasp-antisamy-java_1.7.4-1.debian.tar.xz d56ef8dacdaad85a3ed5a4997d6bea1e 14355 java optional libowasp-antisamy-java_1.7.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVsW9NfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkjG4P/RPB1AdL4yMlbTnHk77r1nvqmRcwhZkf2U0y 0tEL3KPYxIk65uc3oQN7J167j8bXZDtFwd1yV9jWgId0ruCO4wSRa1/etM7I1rUL xLJ0p4+3WCgMUzABdPC8wrWzqhCrXBwD/m+Wh5knwqru24zIFXF4Wwafq16RjBwI /synTl4n1IaHUD2fyRC7ITJy3gOlHqSPLq2k8U21vHwoddsAB+l/GRnRDX2uQy2e mi3Iv9psp/TM3wmOsoPw9xPogThNj5hDLGkrhrL0BDPIt3b3WrStnjylQAJfsIOB iuDcCSas01kIyt6LBlI5PoVYR3g3+U8UdYhCozkZJC+FFODCc3z2msS+nVffzjwF KDJ146zO4hstMQywjLB6OdGkNWk6RWmNsQl9w9KJcyx7gyHnyS50a8XSzexZuNLR YGs5B8y6+37cdRwjVK1xS9TjXMiLcWIG+S46Tha6EdH1J/1dyi9V+1ZTzlUIS7Uq Tk3ejEKsk+KDa8XmNhO/UJeNKppUknnK4uq7DT0rk6Dw40g5qJmnwgiXqGmKTSZq 0NE+4XkmEisWjjwHwRNTLHWBzvAKQDga/rsfc7oQwAcUEWsfUf6E8Ts/JGd2g4xS fC63MBvGup7osTULIVUx4U5jhhqtq5tmKGkqEeL+uf7rmlI6gUqGkHp+aK1LP95b CmytwZaj =1tLF -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
