libowasp-antisamy-java - Debian Package Tracker

general

source: libowasp-antisamy-java (main)
version: 1.5.3+dfsg-1.1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Matthew Vernon [DMD]
arch: all
std-ver: 3.9.5
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.5.3+dfsg-1
oldstable: 1.5.3+dfsg-1
stable: 1.5.3+dfsg-1.1
testing: 1.5.3+dfsg-1.1
unstable: 1.5.3+dfsg-1.1

versioned links

1.5.3+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.5.3+dfsg-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libowasp-antisamy-java (1 bugs: 0, 1, 0, 0)
libowasp-antisamy-java-doc

action needed

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2016-10006: In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.
CVE-2017-14735: OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of &colon; to construct a javascript: URL.
CVE-2021-35043: OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with &#00058 as the replacement for the : character.
CVE-2022-28366: Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
CVE-2022-28367: OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.

Created: 2022-07-04 Last update: 2023-03-01 19:01

5 security issues in bookworm high

There are 5 open security issues in bookworm.

2 important issues:

CVE-2022-28366: Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
CVE-2022-28367: OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.

3 issues postponed or untriaged:

CVE-2016-10006: (needs triaging) In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.
CVE-2017-14735: (needs triaging) OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of &colon; to construct a javascript: URL.
CVE-2021-35043: (needs triaging) OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with &#00058 as the replacement for the : character.

Created: 2022-07-04 Last update: 2023-03-01 19:01

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 3.9.5).

Created: 2018-04-16 Last update: 2022-12-17 19:18

Depends on packages which need a new maintainer normal

The packages that libowasp-antisamy-java depends on which need a new maintainer are:

cdbs (#1026085)
- Build-Depends: cdbs

Created: 2022-12-16 Last update: 2023-03-21 21:33

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.5.3+dfsg-2, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit c03765df3801f62ea0bcc6b75d43b2fbce8ab719
Author: Matthew Vernon <mcv21@cam.ac.uk>
Date:   Mon Jun 2 18:00:37 2014 +0100

    Move license text into copyright file
    
    Previously, we referred to the BSD license file in
    /usr/share/common-licenses/BSD. This is deprecated, so we don't do
    that any more. Also, I re-licensed my changes to this package to a
    permissive licence.

commit 87bb163e0a9b28536ff6c5ac96a0dee7c6d8a298
Author: Matthew Vernon <mcv21@cam.ac.uk>
Date:   Fri May 30 14:28:22 2014 +0100

    correct typo in version number

commit e2f4869e8e8cefd9665e75e13a2f911a22812d4e
Author: Matthew Vernon <mcv21@cam.ac.uk>
Date:   Fri May 30 14:25:45 2014 +0100

    Remove non-DFSG-compliant upstream materials

commit 21338b6e6c5f336ac9102e68c875657aa3abe945
Merge: e638da5 ae77a86
Author: Matthew Vernon <mcv21@cam.ac.uk>
Date:   Fri May 30 14:22:17 2014 +0100

    Merge tag 'upstream/1.5.3+dfsg'
    
    Upstream version 1.5.3+dfsg

commit ae77a865174ef2a2b95dd7e3594cd548c7b4ccde
Author: Matthew Vernon <mcv21@cam.ac.uk>
Date:   Fri May 30 14:22:16 2014 +0100

    Imported Upstream version 1.5.3+dfsg

commit e638da545094d74dddf0f31281a336e428419b9a
Author: Matthew Vernon <mcv21@cam.ac.uk>
Date:   Thu Mar 20 18:25:12 2014 +0000

    Initial Debianisation
    
    This adds debian/* from my pre-git work on this package, and a
    single-line patch to pom.xml (required for the package to build)

The Vcs URL git://anonscm.debian.org/pkg-java/libowasp-antisamy-java.git is deprecated/defunct, https://anonscm.debian.org/git/pkg-java/libowasp-antisamy-java.git was tried instead. Please update the Vcs field in debian/control.

Created: 2017-12-03 Last update: 2023-03-21 20:36

lintian reports 18 warnings normal

Lintian reports 18 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-01-27 Last update: 2023-02-17 00:37

5 low-priority security issues in bullseye low

There are 5 open security issues in bullseye.

5 issues left for the package maintainer to handle:

CVE-2016-10006: (needs triaging) In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.
CVE-2017-14735: (needs triaging) OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of &colon; to construct a javascript: URL.
CVE-2021-35043: (needs triaging) OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with &#00058 as the replacement for the : character.
CVE-2022-28366: (needs triaging) Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
CVE-2022-28367: (needs triaging) OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-03-01 19:01

debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 1.5.3+dfsg-1.1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-27 20:59

news

[rss feed]

[2021-01-13] libowasp-antisamy-java 1.5.3+dfsg-1.1 MIGRATED to testing (Debian testing watch)
[2021-01-08] Accepted libowasp-antisamy-java 1.5.3+dfsg-1.1 (source) into unstable (Holger Levsen)
[2014-06-10] libowasp-antisamy-java 1.5.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2014-05-30] Accepted libowasp-antisamy-java 1.5.3+dfsg-1 (source all) (Matthew Vernon)

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 18)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.5.3+dfsg-1.1