Debian Bug report logs -
#991898
prototypejs: CVE-2020-27511
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Frank Habermann <lordlamer@lordlamer.de>
:
Bug#991898
; Package src:prototypejs
.
(Wed, 04 Aug 2021 17:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Frank Habermann <lordlamer@lordlamer.de>
.
(Wed, 04 Aug 2021 17:42:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: prototypejs
Version: 1.7.1-3.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1.7.1-3
Hi,
The following vulnerability was published for prototypejs.
CVE-2020-27511[0]:
| An issue was discovered in the stripTags and unescapeHTML components
| in Prototype 1.7.3 where an attacker can cause a Regular Expression
| Denial of Service (ReDOS) through stripping crafted HTML tags.
Basically this bug is just to track the issue downstream for us in
Debian. Though upstream's last release was several years ago in 2015,
so I wonder if post-bullseye release this bug severity should be
raised to RC.
There are many (build)-rdeps on it so this cannot simply be removed
from the archive.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-27511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27511
[1] https://github.com/yetingli/PoCs/blob/main/CVE-2020-27511/Prototype.md
Regards,
Salvatore
Marked as found in versions prototypejs/1.7.1-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Wed, 04 Aug 2021 17:42:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>
:
Bug#991898
; Package src:prototypejs
.
(Thu, 05 Aug 2021 11:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>
:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>
.
(Thu, 05 Aug 2021 11:21:03 GMT) (full text, mbox, link).
Message #12 received at 991898@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, 04 Aug 2021 19:38:00 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:
>
> The following vulnerability was published for prototypejs.
>
> CVE-2020-27511[0]:
> | An issue was discovered in the stripTags and unescapeHTML components
> | in Prototype 1.7.3 where an attacker can cause a Regular Expression
> | Denial of Service (ReDOS) through stripping crafted HTML tags.
(The CVE mentions a newer version but vulnerable code exists in older
versions too.)
The Debian package has been orphaned and upstream has not seen any
changes on the master branch since April 2017. (Last upload of a new
upstream release to Debian was in 2013.)
Nevertheless, there is a pull request which claims to address the
problem in strip_tags, opened in Jan 2021:
https://github.com/prototypejs/prototype/pull/349
> Basically this bug is just to track the issue downstream for us in
> Debian. Though upstream's last release was several years ago in 2015,
> so I wonder if post-bullseye release this bug severity should be
> raised to RC.
>
> There are many (build)-rdeps on it so this cannot simply be removed
> from the archive.
CC'ing the Javascript team in case someone there can take over the
package, possibly upstream as well as in Debian.
libjs-prototype
Reverse Depends:
libjs-flotr
wims
citadel-webcit
chromium-tt-rss-notifier
smokeping
libjs-scriptaculous
rabbit
libjs-protoaculous
php-horde-core
mobyle
libjs-jstorage
libhtml-prototype-perl
libembperl-perl
libaws18-dev
jsxgraph
gnat-gps-common
gerbera
gbrowse
fusiondirectory
darktable
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2020-27511
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27511
> [1]
> https://github.com/yetingli/PoCs/blob/main/CVE-2020-27511/Prototype.md
>
> Regards,
> Salvatore
>
>
--
Neil Williams
=============
https://linux.codehelp.co.uk/
[Message part 2 (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Aug 5 16:18:29 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.