Bug 31495

Summary: perl-HTML-StripScripts new security issue CVE-2023-24038
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: perl-HTML-StripScripts-1.60.0-3.mga8.src.rpm CVE: CVE-2023-24038
Status comment:

Description David Walser 2023-02-01 17:48:54 CET 
Debian-LTS has issued an advisory on January 31:
https://www.debian.org/lts/security/2023/dla-3296

Our package has the wrong version, it says 1.60 when it's 1.06.

Mageia 8 is also affected.
David Walser 2023-02-01 17:49:07 CET

Status comment: (none) => Patch available from upstream and Debian
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2023-02-04 22:26:24 CET 
Assigning to the Perl maintainers

CC: (none) => marja11
Assignee: bugsquad => perl

Comment 2 David Walser 2023-02-06 16:27:10 CET 
Debian has issued an advisory for this on February 5:
https://www.debian.org/security/2023/dsa-5339
Comment 3 Nicolas Salguero 2023-03-13 14:42:53 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_style ReDoS because of catastrophic backtracking for HTML content with certain style attributes. (CVE-2023-24038)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24038
https://www.debian.org/lts/security/2023/dla-3296
https://www.debian.org/security/2023/dsa-5339
========================

Updated package in core/updates_testing:
========================
perl-HTML-StripScripts-1.60.0-3.1.mga8

from SRPM:
perl-HTML-StripScripts-1.60.0-3.1.mga8.src.rpm

Version: Cauldron => 8
CVE: (none) => CVE-2023-24038
Status: NEW => ASSIGNED
Status comment: Patch available from upstream and Debian => (none)
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Assignee: perl => qa-bugs

Nicolas Salguero 2023-03-13 14:43:06 CET

Source RPM: perl-HTML-StripScripts-1.60.0-4.mga9.src.rpm => perl-HTML-StripScripts-1.60.0-3.mga8.src.rpm

Comment 4 Herman Viaene 2023-03-16 10:43:20 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Developer's area, so OK on clean install.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2023-03-16 15:06:15 CET 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-17 23:42:30 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2023-03-18 23:18:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0096.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED