Debian Bug report logs -
#1010154
libowasp-antisamy-java: CVE-2022-28366 + CVE-2022-28367
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, codehelp@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1010154; Package src:libowasp-antisamy-java.
(Mon, 25 Apr 2022 12:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>:
New Bug report received and forwarded. Copy sent to codehelp@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 25 Apr 2022 12:42:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libowasp-antisamy-java
Version: 1.5.3+dfsg-1.1
Severity: important
Tags: security
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>
Hi,
Please note, the current homepage for libowasp-antisamy-java appears to
have no commits beyond version 1.5.3 but the change for CVE-2022-29577
does match the source code for libowasp-antisamy-java:
https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410
So I am reporting the bug on the basis that upstream looks to have moved
to a new location. There may be other CVEs which need to be attributed
in this case. Please confirm and update the package links if correct.
The following vulnerabilities were published for libowasp-antisamy-java.
CVE-2022-28367[0]:
| OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE
| content with crafted input. The output serializer does not properly
| encode the supposed Cascading Style Sheets (CSS) content.
CVE-2022-28366[1]:
| Certain Neko-related HTML parsers allow a denial of service via
| crafted Processing Instruction (PI) input that causes excessive heap
| memory consumption. In particular, this issue exists in HtmlUnit-Neko
| through 2.26, and is fixed in 2.27. This issue also exists in
| CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before
| 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this
| may be related to CVE-2022-24939.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-28367
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28367
[1] https://security-tracker.debian.org/tracker/CVE-2022-28366
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28366
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1010154; Package src:libowasp-antisamy-java.
(Mon, 25 Apr 2022 12:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 25 Apr 2022 12:51:02 GMT) (full text, mbox, link).
Message #10 received at 1010154@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams <codehelp@debian.org> wrote:
> Please note, the current homepage for libowasp-antisamy-java appears to
> have no commits beyond version 1.5.3 but the change for CVE-2022-29577
> does match the source code for libowasp-antisamy-java:
> https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410
Apologies - that paragraph contains a typo - the matching change is for
CVE-2022-28367:
The fix in what looks like the new upstream is:
https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae
--
Neil Williams
=============
https://linux.codehelp.co.uk/
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1010154; Package src:libowasp-antisamy-java.
(Mon, 25 Apr 2022 17:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 25 Apr 2022 17:27:03 GMT) (full text, mbox, link).
Message #15 received at 1010154@bugs.debian.org (full text, mbox, reply):
Hi!
On Mon, Apr 25, 2022 at 01:48:43PM +0100, Neil Williams wrote:
> On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams <codehelp@debian.org> wrote:
> > Please note, the current homepage for libowasp-antisamy-java appears to
> > have no commits beyond version 1.5.3 but the change for CVE-2022-29577
> > does match the source code for libowasp-antisamy-java:
> > https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410
>
> Apologies - that paragraph contains a typo - the matching change is for
> CVE-2022-28367:
>
> The fix in what looks like the new upstream is:
> https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae
Could you please make sure to as well include
https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0
to make the fix complete.
Possibly it's best to just update to the new 1.6.7 upstream version.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1010154; Package src:libowasp-antisamy-java.
(Tue, 26 Apr 2022 04:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 26 Apr 2022 04:45:03 GMT) (full text, mbox, link).
Message #20 received at 1010154@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Apr 25, 2022 at 07:22:12PM +0200, Salvatore Bonaccorso wrote:
> Hi!
>
> On Mon, Apr 25, 2022 at 01:48:43PM +0100, Neil Williams wrote:
> > On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams <codehelp@debian.org> wrote:
> > > Please note, the current homepage for libowasp-antisamy-java appears to
> > > have no commits beyond version 1.5.3 but the change for CVE-2022-29577
> > > does match the source code for libowasp-antisamy-java:
> > > https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410
> >
> > Apologies - that paragraph contains a typo - the matching change is for
> > CVE-2022-28367:
> >
> > The fix in what looks like the new upstream is:
> > https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae
>
> Could you please make sure to as well include
> https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0
> to make the fix complete.
>
> Possibly it's best to just update to the new 1.6.7 upstream version.
Hello,
I have started working on the update to the latest upstream (1.6.8).
Updating will require a NEW package for:
https://github.com/HtmlUnit/htmlunit-neko
(not to be confused with https://tracker.debian.org/pkg/nekohtml)
I believe that's the only missing package, but haven't yet assessed
htmlunit-neko to determine if there are other transitive dependencies.
Cheers,
tony
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1010154; Package src:libowasp-antisamy-java.
(Tue, 26 Apr 2022 07:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 26 Apr 2022 07:15:03 GMT) (full text, mbox, link).
Message #25 received at 1010154@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, 25 Apr 2022 21:43:30 -0700 tony mancill <tmancill@debian.org>
wrote:
> On Mon, Apr 25, 2022 at 07:22:12PM +0200, Salvatore Bonaccorso wrote:
> > Hi!
> >
> > On Mon, Apr 25, 2022 at 01:48:43PM +0100, Neil Williams wrote:
> > > On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams
> > > <codehelp@debian.org> wrote:
> > > > Please note, the current homepage for libowasp-antisamy-java
> > > > appears to have no commits beyond version 1.5.3 but the change
> > > > for CVE-2022-29577 does match the source code for
> > > > libowasp-antisamy-java:
> > > > https://sources.debian.org/src/libowasp-antisamy-java/1.5.3+dfsg-1.1/src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java/?hl=410#L410
> > >
> > > Apologies - that paragraph contains a typo - the matching change
> > > is for CVE-2022-28367:
> > >
> > > The fix in what looks like the new upstream is:
> > > https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae
> >
> > Could you please make sure to as well include
> > https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0
> > to make the fix complete.
> >
> > Possibly it's best to just update to the new 1.6.7 upstream version.
>
> Hello,
>
> I have started working on the update to the latest upstream (1.6.8).
> Updating will require a NEW package for:
>
> https://github.com/HtmlUnit/htmlunit-neko
Note: htmlunit-neko also has open CVEs - these are currently ignored by
Debian but would be attributed to this package once an ITP bug is
created or a package uploaded.
It would be worth considering how to manage the ongoing work that may be
required for both of these packages.
>
> (not to be confused with https://tracker.debian.org/pkg/nekohtml)
>
> I believe that's the only missing package, but haven't yet assessed
> htmlunit-neko to determine if there are other transitive dependencies.
--
Neil Williams
=============
https://linux.codehelp.co.uk/
[Message part 2 (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Apr 26 13:10:47 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon