Debian-LTS has issued an advisory today (November 3): http://lwn.net/Vulnerabilities/662900/ The issue was fixed upstream in 0.15. Cauldron was already updated by sander. Reproducible: Steps to Reproduce:
CC: (none) => jquelin
I have uploaded a patched package for Mageia 5. Not sure how to test it, but the included test passed during build, so it should be OK. Suggested advisory: ======================== Updated perl-HTML-Scrubber package fixes security vulnerability: Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5667 ======================== Updated packages in core/updates_testing: ======================== perl-HTML-Scrubber-0.110.0-6.1.mga5 Source RPMs: perl-HTML-Scrubber-0.110.0-6.1.mga5.src.rpm
Hardware: i586 => AllAssignee: mageia => qa-bugs
Example script here http://search.cpan.org/~nigelm/HTML-Scrubber-0.15/lib/HTML/Scrubber.pm#How_does_it_work?
Whiteboard: (none) => has_procedure
(In reply to claire robinson from comment #2) > Example script here > http://search.cpan.org/~nigelm/HTML-Scrubber-0.15/lib/HTML/Scrubber. > pm#How_does_it_work? seems to work fine on MGA5-64-OK . Tested on a VBox VM.
CC: (none) => shlomifWhiteboard: has_procedure => has_procedure MGA5-64-OK
Thanks Shlomi Validating. Advisory uploaded. Please push to 5 updates, thanks.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0488.html
Status: NEW => RESOLVEDResolution: (none) => FIXED