Bug#803943: libhtml-scrubber-perl: CVE-2015-5667: cross-site scripting vulnerability in comments
Niko Tyni
ntyni at debian.org
Tue Nov 3 14:27:51 UTC 2015
On Tue, Nov 03, 2015 at 04:10:53PM +0200, Niko Tyni wrote:
> Package: libhtml-scrubber-perl
> Version: 0.08-4
> Severity: important
> Tags: security squeeze wheezy jessie
> Control: fixed -1 0.15-1
>
> From <https://security-tracker.debian.org/tracker/CVE-2015-5667>:
>
> Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module
> before 0.15 for Perl, when the comment feature is enabled, allows remote
> attackers to inject arbitrary web script or HTML via a crafted comment.
>
> Upstream fix: https://github.com/nigelm/html-scrubber/commit/e1978cc37867e85c06a84a4651745235010cd6cd
>
> This is fixed in unstable already. Presumably oldoldstable, oldstable,
> and stable are affected. I haven't looked at whether the patch applies
> to the older releases.
Security team: could you please add this bug number to the tracker?
I assume this is to be handled via stable updates rather than DSAs?
--
Niko Tyni ntyni at debian.org
More information about the pkg-perl-maintainers
mailing list