Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 559002 - <dev-java/jsoup-1.8.3: XSS
Summary: <dev-java/jsoup-1.8.3: XSS
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-28 08:10 UTC by Agostino Sarubbo
Modified: 2015-09-11 08:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-08-28 08:10:56 UTC
From ${URL} :

Described in this pull request by Tommy Johansen:

“
We use Hibernate Validator (HV) and the @SafeHtlm annotation to validate
input from users. During a security review we discovered that an unsafe
XSS vector slipped by the validator. During debugging HV we discovered
that the source of the problem was related to how Jsoup handled tags
without a closing > when reaching EOF.
”

<https://github.com/jhy/jsoup/pull/582>

Additional references:

<https://hibernate.atlassian.net/browse/HV-1012>
<https://issues.jboss.org/browse/WFLY-5223>



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrice Clement gentoo-dev 2015-09-05 14:53:39 UTC
commit 52af7b5 (HEAD, origin/master, origin/HEAD, master)
Author: Patrice Clement <monsieurp@gentoo.org>
Date:   Sat Sep 5 14:50:23 2015 +0000

    dev-java/jsoup: Version bump. Fixes security bug 559002.
    
    Package-Manager: portage-2.2.18
    Signed-off-by: Patrice Clement <monsieurp@gentoo.org>

 create mode 100644 dev-java/jsoup/jsoup-1.8.3.ebuild

Arch teams,

Please stabilise:
dev-java/jsoup-1.8.3.ebuild

Target arches:
amd64 x86

Security,

Please vote.
Comment 2 Agostino Sarubbo gentoo-dev 2015-09-06 08:48:43 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-09-06 08:49:37 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Patrice Clement gentoo-dev 2015-09-06 09:08:56 UTC
commit f062a3d (HEAD, master)
Author: Patrice Clement <monsieurp@gentoo.org>
Date:   Sun Sep 6 09:07:34 2015 +0000

    dev-java/jsoup: Remove vulnerable versions. Fixes security bug 559002.
    
    Package-Manager: portage-2.2.18
    Signed-off-by: Patrice Clement <monsieurp@gentoo.org>

 delete mode 100644 dev-java/jsoup/jsoup-1.7.2.ebuild
 delete mode 100644 dev-java/jsoup/jsoup-1.8.1.ebuild

Security please vote.
Comment 5 Patrice Clement gentoo-dev 2015-09-11 08:20:34 UTC
ping @security
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-09-11 08:59:06 UTC
no glsa for XSS