Bug#1010154: libowasp-antisamy-java: CVE-2022-28366 + CVE-2022-28367

Neil Williams codehelp at debian.org
Tue Apr 26 08:12:44 BST 2022 

On Mon, 25 Apr 2022 21:43:30 -0700 tony mancill <tmancill at debian.org>
wrote:
> On Mon, Apr 25, 2022 at 07:22:12PM +0200, Salvatore Bonaccorso wrote:
> > Hi!
> > 
> > On Mon, Apr 25, 2022 at 01:48:43PM +0100, Neil Williams wrote:
> > > On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams
> > > <codehelp at debian.org> wrote:
> > > > Please note, the current homepage for libowasp-antisamy-java
> > > > appears to have no commits beyond version 1.5.3 but the change
> > > > for CVE-2022-29577 does match the source code for
> > > > libowasp-antisamy-java:
> > > > https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410
> > > 
> > > Apologies - that paragraph contains a typo - the matching change
> > > is for CVE-2022-28367:
> > > 
> > > The fix in what looks like the new upstream is:
> > > https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae
> > 
> > Could you please make sure to as well include
> > https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0
> > to make the fix complete.
> > 
> > Possibly it's best to just update to the new 1.6.7 upstream version.
> 
> Hello,
> 
> I have started working on the update to the latest upstream (1.6.8).
> Updating will require a NEW package for:
> 
>   https://github.com/HtmlUnit/htmlunit-neko

Note: htmlunit-neko also has open CVEs - these are currently ignored by
Debian but would be attributed to this package once an ITP bug is
created or a package uploaded.

It would be worth considering how to manage the ongoing work that may be
required for both of these packages.

> 
> (not to be confused with https://tracker.debian.org/pkg/nekohtml)
> 
> I believe that's the only missing package, but haven't yet assessed
> htmlunit-neko to determine if there are other transitive dependencies.



-- 
Neil Williams
=============
https://linux.codehelp.co.uk/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20220426/c40a4d20/attachment.sig>

More information about the pkg-java-maintainers mailing list