[Pkg-javascript-devel] prototypejs: CVE-2020-27511
Neil Williams
codehelp at debian.org
Thu Aug 5 12:19:06 BST 2021
On Wed, 04 Aug 2021 19:38:00 +0200 Salvatore Bonaccorso
<carnil at debian.org> wrote:
>
> The following vulnerability was published for prototypejs.
>
> CVE-2020-27511[0]:
> | An issue was discovered in the stripTags and unescapeHTML components
> | in Prototype 1.7.3 where an attacker can cause a Regular Expression
> | Denial of Service (ReDOS) through stripping crafted HTML tags.
(The CVE mentions a newer version but vulnerable code exists in older
versions too.)
The Debian package has been orphaned and upstream has not seen any
changes on the master branch since April 2017. (Last upload of a new
upstream release to Debian was in 2013.)
Nevertheless, there is a pull request which claims to address the
problem in strip_tags, opened in Jan 2021:
https://github.com/prototypejs/prototype/pull/349
> Basically this bug is just to track the issue downstream for us in
> Debian. Though upstream's last release was several years ago in 2015,
> so I wonder if post-bullseye release this bug severity should be
> raised to RC.
>
> There are many (build)-rdeps on it so this cannot simply be removed
> from the archive.
CC'ing the Javascript team in case someone there can take over the
package, possibly upstream as well as in Debian.
libjs-prototype
Reverse Depends:
libjs-flotr
wims
citadel-webcit
chromium-tt-rss-notifier
smokeping
libjs-scriptaculous
rabbit
libjs-protoaculous
php-horde-core
mobyle
libjs-jstorage
libhtml-prototype-perl
libembperl-perl
libaws18-dev
jsxgraph
gnat-gps-common
gerbera
gbrowse
fusiondirectory
darktable
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2020-27511
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27511
> [1]
> https://github.com/yetingli/PoCs/blob/main/CVE-2020-27511/Prototype.md
>
> Regards,
> Salvatore
>
>
--
Neil Williams
=============
https://linux.codehelp.co.uk/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20210805/f536ef03/attachment.sig>
More information about the Pkg-javascript-devel
mailing list