[Pkg-rust-maintainers] Bug#1115977: rust-ammonia: RUSTSEC-2025-0071
Salvatore Bonaccorso
carnil at debian.org
Mon Sep 22 18:29:46 BST 2025
Source: rust-ammonia
Version: 4.1.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi
See https://rustsec.org/advisories/RUSTSEC-2025-0071.html for details:
|Affected versions of this crate did not correctly strip
|namespace-incompatible tags in certain situations, causing it to
|incorrectly account for differences between HTML, SVG, and MathML.
|
|This vulnerability only has an effect when the svg or math tag is
|allowed, because it relies on a tag being parsed as html during the
|cleaning process, but serialized in a way that causes in to be parsed
|as xml by the browser.
|
|Additionally, the application using this library must allow a tag that
|is parsed as raw text in HTML. These elements are:
|
| title
| textarea
| xmp
| iframe
| noembed
| noframes
| plaintext
| noscript
| style
| script
|
|Applications that do not explicitly allow any of these tags should not
|be affected, since none are allowed by default.
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list