Bug 17080

Summary: perl-HTML-Scrubber new security issue CVE-2015-5667
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jquelin, shlomif, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/662900/
Whiteboard: has_procedure advisory MGA5-64-OK
Source RPM: perl-HTML-Scrubber-0.110.0-6.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-03 20:50:37 CET 
Debian-LTS has issued an advisory today (November 3):
http://lwn.net/Vulnerabilities/662900/

The issue was fixed upstream in 0.15.  Cauldron was already updated by sander.

Reproducible: 

Steps to Reproduce:
David Walser 2015-11-03 20:50:47 CET

CC: (none) => jquelin

Comment 1 Sander Lepik 2015-12-12 17:19:08 CET 
I have uploaded a patched package for Mageia 5.

Not sure how to test it, but the included test passed during build, so it should be OK.

Suggested advisory:
========================

Updated perl-HTML-Scrubber package fixes security vulnerability:

Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5667
========================

Updated packages in core/updates_testing:
========================
perl-HTML-Scrubber-0.110.0-6.1.mga5

Source RPMs: 
perl-HTML-Scrubber-0.110.0-6.1.mga5.src.rpm

Hardware: i586 => All
Assignee: mageia => qa-bugs

Comment 2 claire robinson 2015-12-18 16:53:50 CET 
Example script here http://search.cpan.org/~nigelm/HTML-Scrubber-0.15/lib/HTML/Scrubber.pm#How_does_it_work?

Whiteboard: (none) => has_procedure

Comment 3 Shlomi Fish 2015-12-24 14:22:15 CET 
(In reply to claire robinson from comment #2)
> Example script here
> http://search.cpan.org/~nigelm/HTML-Scrubber-0.15/lib/HTML/Scrubber.
> pm#How_does_it_work?

seems to work fine on MGA5-64-OK . Tested on a VBox VM.

CC: (none) => shlomif
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 4 claire robinson 2015-12-24 14:34:34 CET 
Thanks Shlomi

Validating. Advisory uploaded.

Please push to 5 updates, thanks.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-12-28 20:24:35 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0488.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED