Bug 30310

Summary: jsoup new security issues CVE-2021-37714 and CVE-2022-36033
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Java Stack Maintainers <java>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: jsoup-1.13.1-1.mga8.src.rpm CVE:
Status comment: Fixed upstream in 1.15.3

Description David Walser 2022-04-20 16:22:05 CEST 
SUSE has issued an advisory on April 19:
https://lists.suse.com/pipermail/sle-security-updates/2022-April/010753.html

The issue is fixed upstream in 1.14.2:
https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c

Mageia 8 is also affected.
David Walser 2022-04-20 16:22:32 CEST

Status comment: (none) => Fixed upstream in 1.14.2
Whiteboard: (none) => MGA8TOO

Comment 2 David Walser 2022-11-16 18:10:59 CET 
SUSE has issued an advisory today (November 16):
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012941.html

The issue is fixed upstream in 1.15.3:
https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
https://jsoup.org/news/release-1.15.3

Mageia 8 is also affected.

Status comment: Fixed upstream in 1.14.2 => Fixed upstream in 1.15.3
Summary: jsoup new security issue CVE-2021-37714 => jsoup new security issues CVE-2021-37714 and CVE-2022-36033

Comment 3 David Walser 2022-11-16 18:20:59 CET 
(In reply to David Walser from comment #2)
> SUSE has issued an advisory today (November 16):
> https://lists.suse.com/pipermail/sle-security-updates/2022-November/012941.
> html
> 
> The issue is fixed upstream in 1.15.3:
> https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
> https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
> https://jsoup.org/news/release-1.15.3
> 
> Mageia 8 is also affected.

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4Q3BOKYZUW2DUIEUACMDXYYJ3AP2M2YI/
Comment 4 David GEIGER 2023-07-03 20:11:34 CEST 
jsoup now removed from cauldron current java stack!

CC: (none) => geiger.david68210
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 5 Nicolas Salguero 2024-01-12 09:47:30 CET 
Mageia 8 EOL

Status: NEW => RESOLVED
CC: (none) => nicolas.salguero
Resolution: (none) => OLD