30310 – jsoup new security issues CVE-2021-37714 and CVE-2022-36033

Bug 30310 - jsoup new security issues CVE-2021-37714 and CVE-2022-36033

Summary: jsoup new security issues CVE-2021-37714 and CVE-2022-36033

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	Java Stack Maintainers
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-20 16:22 CEST by David Walser
Modified:	2024-01-12 09:47 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	jsoup-1.13.1-1.mga8.src.rpm
CVE:
Status comment:	Fixed upstream in 1.15.3

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-04-20 16:22:05 CEST

SUSE has issued an advisory on April 19:
https://lists.suse.com/pipermail/sle-security-updates/2022-April/010753.html

The issue is fixed upstream in 1.14.2:
https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c

Mageia 8 is also affected.

David Walser 2022-04-20 16:22:32 CEST

Status comment: (none) => Fixed upstream in 1.14.2
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-04-20 16:51:39 CEST

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N3NSKDPRHUENCNFIPJHSG7V326EE6EYD/

Comment 2 David Walser 2022-11-16 18:10:59 CET

SUSE has issued an advisory today (November 16):
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012941.html

The issue is fixed upstream in 1.15.3:
https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
https://jsoup.org/news/release-1.15.3

Mageia 8 is also affected.

Status comment: Fixed upstream in 1.14.2 => Fixed upstream in 1.15.3
Summary: jsoup new security issue CVE-2021-37714 => jsoup new security issues CVE-2021-37714 and CVE-2022-36033

Comment 3 David Walser 2022-11-16 18:20:59 CET

(In reply to David Walser from comment #2)
> SUSE has issued an advisory today (November 16):
> https://lists.suse.com/pipermail/sle-security-updates/2022-November/012941.
> html
> 
> The issue is fixed upstream in 1.15.3:
> https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
> https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
> https://jsoup.org/news/release-1.15.3
> 
> Mageia 8 is also affected.

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4Q3BOKYZUW2DUIEUACMDXYYJ3AP2M2YI/

Comment 4 David GEIGER 2023-07-03 20:11:34 CEST

jsoup now removed from cauldron current java stack!

CC: (none) => geiger.david68210
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 5 Nicolas Salguero 2024-01-12 09:47:30 CET

Mageia 8 EOL

Status: NEW => RESOLVED
CC: (none) => nicolas.salguero
Resolution: (none) => OLD

Note You need to log in before you can comment on or make changes to this bug.