Bug#1010154: libowasp-antisamy-java: CVE-2022-28366 + CVE-2022-28367
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 25 18:22:12 BST 2022
Hi!
On Mon, Apr 25, 2022 at 01:48:43PM +0100, Neil Williams wrote:
> On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams <codehelp at debian.org> wrote:
> > Please note, the current homepage for libowasp-antisamy-java appears to
> > have no commits beyond version 1.5.3 but the change for CVE-2022-29577
> > does match the source code for libowasp-antisamy-java:
> > https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410
>
> Apologies - that paragraph contains a typo - the matching change is for
> CVE-2022-28367:
>
> The fix in what looks like the new upstream is:
> https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae
Could you please make sure to as well include
https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0
to make the fix complete.
Possibly it's best to just update to the new 1.6.7 upstream version.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list