Your message dated Sun, 05 Jan 2025 11:56:27 +0000
with message-id <e1tupf5-00alzp...@fasolo.debian.org>
and subject line Bug#1039989: fixed in plantuml 1:1.2020.2+ds-6
has caused the Debian Bug report #1039989,
regarding plantuml: CVE-2022-1231
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1039989: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039989
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: plantuml
Version: 1:1.2020.2+ds-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for plantuml.
CVE-2022-1231[0]:
| XSS via Embedded SVG in SVG Diagram Format in GitHub repository
| plantuml/plantuml prior to 1.2022.4. Stored XSS in the context of
| the diagram embedder. Depending on the actual context, this ranges
| from stealing secrets to account hijacking or even to code execution
| for example in desktop applications. Web based applications are the
| ones most affected. Since the SVG format allows clickable links in
| diagrams, it is commonly used in plugins for web based projects
| (like the Confluence plugin, etc. see
| https://plantuml.com/de/running).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-1231
https://www.cve.org/CVERecord?id=CVE-2022-1231
[1] https://huntr.dev/bounties/27db9509-6cd3-4148-8d70-5942f3837604/
[2]
https://github.com/plantuml/plantuml/commit/c9137be051ce98b3e3e27f65f54ec7d9f8886903
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: plantuml
Source-Version: 1:1.2020.2+ds-6
Done: Andrej Shadura <andre...@debian.org>
We believe that the bug you reported is fixed in the latest version of
plantuml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1039...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <andre...@debian.org> (supplier of updated plantuml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Jan 2025 12:30:46 +0100
Source: plantuml
Architecture: source
Version: 1:1.2020.2+ds-6
Distribution: unstable
Urgency: medium
Maintainer: Andrej Shadura <andre...@debian.org>
Changed-By: Andrej Shadura <andre...@debian.org>
Closes: 1039989
Changes:
plantuml (1:1.2020.2+ds-6) unstable; urgency=medium
.
* CVE-2022-1231: Clean up SVG by removing scripts and foreign objects
(Closes: #1039989)
Checksums-Sha1:
5e7ca6c57d6c13a468640fc7296f6f9eeba3a4fb 1568 plantuml_1.2020.2+ds-6.dsc
e4798ed91a37139974b9812e4058674f0f23d0e0 46304
plantuml_1.2020.2+ds-6.debian.tar.xz
Checksums-Sha256:
40cb37ad3b2fadf755bc3b72533875e6a67ecc130e75b12814a8aac8fc8ea0b0 1568
plantuml_1.2020.2+ds-6.dsc
d97be91b64128bf79932c8feecf9a3db58f52e34fed7e946fa71d588e6ca4b6a 46304
plantuml_1.2020.2+ds-6.debian.tar.xz
Files:
45f7d41589090cc8200a151ea2682b70 1568 graphics optional
plantuml_1.2020.2+ds-6.dsc
ad6bd51686ed716eb5c8aa351e261fd6 46304 graphics optional
plantuml_1.2020.2+ds-6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZ3ptfgAKCRDoRGtKyMdy
YZ8dAP0cPKzymC4du7TytjMxcggs47fmj9kCzVtpIVz3XRKorwD9HhwgHLb4bljk
7tOnxEhAPdE/bYNJKLAyynTsWnRCCQo=
=ng2X
-----END PGP SIGNATURE-----
pgpyGWKChnsLv.pgp
Description: PGP signature
--- End Message ---
