Bug#1010154: libowasp-antisamy-java: CVE-2022-28366 + CVE-2022-28367
Neil Williams
codehelp at debian.org
Mon Apr 25 13:39:49 BST 2022
Source: libowasp-antisamy-java
Version: 1.5.3+dfsg-1.1
Severity: important
Tags: security
X-Debbugs-Cc: codehelp at debian.org, Debian Security Team <team at security.debian.org>
Hi,
Please note, the current homepage for libowasp-antisamy-java appears to
have no commits beyond version 1.5.3 but the change for CVE-2022-29577
does match the source code for libowasp-antisamy-java:
https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410
So I am reporting the bug on the basis that upstream looks to have moved
to a new location. There may be other CVEs which need to be attributed
in this case. Please confirm and update the package links if correct.
The following vulnerabilities were published for libowasp-antisamy-java.
CVE-2022-28367[0]:
| OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE
| content with crafted input. The output serializer does not properly
| encode the supposed Cascading Style Sheets (CSS) content.
CVE-2022-28366[1]:
| Certain Neko-related HTML parsers allow a denial of service via
| crafted Processing Instruction (PI) input that causes excessive heap
| memory consumption. In particular, this issue exists in HtmlUnit-Neko
| through 2.26, and is fixed in 2.27. This issue also exists in
| CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before
| 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this
| may be related to CVE-2022-24939.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-28367
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28367
[1] https://security-tracker.debian.org/tracker/CVE-2022-28366
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28366
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
More information about the pkg-java-maintainers
mailing list