Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

node-sanitize-html: CVE-2022-25887

Related Vulnerabilities: CVE-2022-25887  

Source

Debian Bug report logs - #1019219
node-sanitize-html: CVE-2022-25887

version graph

Package: src:node-sanitize-html; Maintainer for src:node-sanitize-html is Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 5 Sep 2022 19:57:02 UTC

Severity: important

Tags: security, upstream

Found in version node-sanitize-html/2.7.0+~2.6.2-1

Fixed in version node-sanitize-html/2.7.1+~2.6.2-1

Done: Yadd <yadd@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#1019219; Package src:node-sanitize-html. (Mon, 05 Sep 2022 19:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Mon, 05 Sep 2022 19:57:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: node-sanitize-html: CVE-2022-25887
Date: Mon, 05 Sep 2022 21:52:00 +0200
Source: node-sanitize-html
Version: 2.7.0+~2.6.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for node-sanitize-html.

CVE-2022-25887[0]:
| The package sanitize-html before 2.7.1 are vulnerable to Regular
| Expression Denial of Service (ReDoS) due to insecure global regular
| expression replacement logic of HTML comment removal.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-25887
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25887
[1] https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c
[2] https://github.com/apostrophecms/sanitize-html/pull/557
[3] https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1019219. (Tue, 06 Sep 2022 04:21:02 GMT) (full text, mbox, link).

Message #8 received at 1019219-submitter@bugs.debian.org (full text, mbox, reply):

From: Yadd <noreply@salsa.debian.org>
To: 1019219-submitter@bugs.debian.org
Subject: Bug#1019219 marked as pending in node-sanitize-html
Date: Tue, 06 Sep 2022 04:16:29 +0000
Control: tag -1 pending

Hello,

Bug #1019219 in node-sanitize-html reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/node-sanitize-html/-/commit/db49ebf18143dd9288eed93a7a48105e54075d40

------------------------------------------------------------------------
New upstream version (Closes: #1019219, CVE-2022-25887)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1019219

Added tag(s) pending. Request was from Yadd <noreply@salsa.debian.org> to 1019219-submitter@bugs.debian.org. (Tue, 06 Sep 2022 04:21:03 GMT) (full text, mbox, link).

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1019219. (Tue, 06 Sep 2022 04:21:05 GMT) (full text, mbox, link).

Message #13 received at 1019219-submitter@bugs.debian.org (full text, mbox, reply):

From: Yadd <noreply@salsa.debian.org>
To: 1019219-submitter@bugs.debian.org
Subject: Bug#1019219 marked as pending in node-sanitize-html
Date: Tue, 06 Sep 2022 04:16:33 +0000
Control: tag -1 pending

Hello,

Bug #1019219 in node-sanitize-html reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/node-sanitize-html/-/commit/db49ebf18143dd9288eed93a7a48105e54075d40

------------------------------------------------------------------------
New upstream version (Closes: #1019219, CVE-2022-25887)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1019219

Reply sent to Yadd <yadd@debian.org>:
You have taken responsibility. (Tue, 06 Sep 2022 04:36:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 06 Sep 2022 04:36:03 GMT) (full text, mbox, link).

Message #18 received at 1019219-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1019219-close@bugs.debian.org
Subject: Bug#1019219: fixed in node-sanitize-html 2.7.1+~2.6.2-1
Date: Tue, 06 Sep 2022 04:33:50 +0000
Source: node-sanitize-html
Source-Version: 2.7.1+~2.6.2-1
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-sanitize-html, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1019219@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-sanitize-html package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 06 Sep 2022 06:12:56 +0200
Source: node-sanitize-html
Built-For-Profiles: nocheck
Architecture: source
Version: 2.7.1+~2.6.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1019219
Changes:
 node-sanitize-html (2.7.1+~2.6.2-1) unstable; urgency=medium
 .
   * Team upload
   * Update standards version to 4.6.1, no changes needed.
   * New upstream version (Closes: #1019219, CVE-2022-25887)
Checksums-Sha1: 
 b4840eff1b59bddd7ea255ab3dad423a1bbb7a48 2709 node-sanitize-html_2.7.1+~2.6.2-1.dsc
 9c47960841b9def1e4c9dfebaaab010a3f6e97b9 2815 node-sanitize-html_2.7.1+~2.6.2.orig-types-sanitize-html.tar.gz
 e49553593794df02e2aee3f4bddc103b02a7f614 39812 node-sanitize-html_2.7.1+~2.6.2.orig.tar.gz
 89f8d77314d1385a851abeb92c674d936f737a3e 3600 node-sanitize-html_2.7.1+~2.6.2-1.debian.tar.xz
Checksums-Sha256: 
 86d3b89b8d0b076dc7eb7be21e653c12ced5878271c026c358a0a23572b6d29f 2709 node-sanitize-html_2.7.1+~2.6.2-1.dsc
 82d3d83c54d31071274aa60a943a26933700d0ac6ef3ed6a03bf839f5600d6b2 2815 node-sanitize-html_2.7.1+~2.6.2.orig-types-sanitize-html.tar.gz
 a71aecd65c2aada88300513470727e090c80c780a151d86007fef9c34c75b8d9 39812 node-sanitize-html_2.7.1+~2.6.2.orig.tar.gz
 54fe1573a889f14260240df3d1d9167cd83375e415914f2f594ca052e99c6c3c 3600 node-sanitize-html_2.7.1+~2.6.2-1.debian.tar.xz
Files: 
 bbb2f041a2b370bda3f59951c01a4da6 2709 javascript optional node-sanitize-html_2.7.1+~2.6.2-1.dsc
 d2d0e8a7f4f420229708f90afa61a02f 2815 javascript optional node-sanitize-html_2.7.1+~2.6.2.orig-types-sanitize-html.tar.gz
 15d56fccdf5124dd7d6e7846c5085928 39812 javascript optional node-sanitize-html_2.7.1+~2.6.2.orig.tar.gz
 850e315de2aa899d9f629bb58fa9aa28 3600 javascript optional node-sanitize-html_2.7.1+~2.6.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmMWyYAACgkQ9tdMp8mZ
7un9GA//R27zN1S5rnr7GKrFM7gdCs3Mn4MUpsd4/PlzNDxPBxw1/Dh/8zYIipBP
nFg6BzwHNTPxmCRFqwaG0eywt4y7J9lnGl8NjtYFPUSdoUiPprwR7MXDx5IlRgA3
5mQ/m5XSklUlqYTl3H/EYSVtWtZjeol0vENkbuhBj6IlICAf3/zIZgFPPSe/o1ve
V8e5hkrUl9VyZBQeQUvWfRZx14vGBk88Kr0qxZhm5IOGN0jBYV+7XylujyxRnbSb
5EpNvJll0Fc5nJsWvh4AuqbFyl8CKaOfCFbD1S76LbeOBpDyywkHjMEfZw0N6Rqz
i6AKVPPU3w051lEDAk+xTpsHYVt3PdBQ/6kKKdrjiRgo+bomCS9NKply1ojsyZyI
qeG09B0WKy3J+YfFyJSZIeZGUlywO2J8HmpygkZwHPDBiSoDu1u7F0Hl66KUB8ZC
7NYA/m7JaXeCUpETNX2gp1TYi7WwP5pqzUc8haHR4C0VKDRcK2YSIVgb+5Kk9c1S
YLPRJoSdw4XAZWzr+OegPQcTvlY1zamtO840/29lupD+qr5Z+YftDYQn7dkvWP9O
cxZPLbflYlbFzw5ZRXoQ2yUPtFq5o50icnJ/VKTbRqHHgFok53DTxnFhZ6vTxzcH
bg3pVaFWN/1lP2aBKd8VsTDd8+a51PqEzv2usnWSCj50jXAiupA=
=A4BC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Sep 6 13:19:49 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started