On Tue, Nov 03, 2015 at 04:10:53PM +0200, Niko Tyni wrote: > Package: libhtml-scrubber-perl > Version: 0.08-4 > Severity: important > Tags: security squeeze wheezy jessie > Control: fixed -1 0.15-1 > > From <https://security-tracker.debian.org/tracker/CVE-2015-5667>: > > Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module > before 0.15 for Perl, when the comment feature is enabled, allows remote > attackers to inject arbitrary web script or HTML via a crafted comment. > > Upstream fix: > https://github.com/nigelm/html-scrubber/commit/e1978cc37867e85c06a84a4651745235010cd6cd > > This is fixed in unstable already. Presumably oldoldstable, oldstable, > and stable are affected. I haven't looked at whether the patch applies > to the older releases.
Security team: could you please add this bug number to the tracker? I assume this is to be handled via stable updates rather than DSAs? -- Niko Tyni [email protected]

