[Git][security-tracker-team/security-tracker][master] php-dompdf: Even unstable has a version before CVE-2022-28368 was introduced
Adrian Bunk (@bunk)
bunk at debian.org
Sun May 22 14:05:34 BST 2022
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker
Commits:
19b4fe9a by Adrian Bunk at 2022-05-22T16:03:36+03:00
php-dompdf: Even unstable has a version before CVE-2022-28368 was introduced
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -7926,13 +7926,14 @@ CVE-2022-28370
CVE-2022-28369
RESERVED
CVE-2022-28368 (Dompdf 1.2.1 allows remote code execution via a .php file in the src:u ...)
- - php-dompdf <unfixed> (bug #1010090)
- [stretch] - php-dompdf <not-affected> (Vulnerable code not present)
+ - php-dompdf <not-affected> (Vulnerable code introduced in 0.8.0, fixed in 1.2.1)
NOTE: https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/
NOTE: https://positive.security/blog/dompdf-rce
NOTE: https://github.com/dompdf/dompdf/issues/2598
NOTE: https://github.com/dompdf/dompdf/pull/2808
NOTE: https://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141d (v1.2.1)
+ NOTE: Vulnerability introduced by:
+ NOTE: https://github.com/dompdf/dompdf/commit/0e0261b7bce372b3a05b712a023f6f742a22d57e (v0.8.0)
CVE-2022-28367 (OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE ...)
- libowasp-antisamy-java <unfixed> (bug #1010154)
NOTE: https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae (v1.6.6)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19b4fe9ac2ffd4bc26a510e041a9a8abd56372f6
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19b4fe9ac2ffd4bc26a510e041a9a8abd56372f6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220522/0c516292/attachment.htm>
More information about the debian-security-tracker-commits
mailing list