|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-34623: jtidy: denial of service via crafted object that uses cyclic dependencies | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Thomas Leroy <thomas.leroy> |
| Component: | Incidents | Assignee: | Gus Kenion <gus.kenion> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | david.anes, gus.kenion, security-team, stoyan.manolov |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/369516/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-34623:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Thomas Leroy
2023-06-15 08:40:14 UTC
The issue has been created in the jtidy fork trajano/jtidy as far as I understand, but that might also affect sourceforge jtidy Tracking jtidy as affected: - SUSE:SLE-12:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15:Update - SUSE:ALP:Source:Standard:1.0 Upstream project looks dead, not sure maintainers will provide a fix Hi Stoyan and Gus, The following two commits fix the issue: * https://github.com/jtidy/jtidy/commit/fc011d34ea3f2cb1395e8443154b31f690466b19 * https://github.com/jtidy/jtidy/commit/67a39369b6f9837a4273d0315b0c5ac7e7eb2905 I didn't evaluate how much effort is to fix all codestreams, but let me know if you need help Gus. Created a patch based on fix from github project jtidy/jtidy. Submitted change requests for SLE-12, SLE-12-SP2, SLE-15, and ALP. Submitted request in Factory repo to replace existing upstream with github project jtidy/jtidy. Discussion of the latter is ongoing. Aforementioned patch fixes were all accepted. Patch change requests accepted in SLE-12, SLE-12-SP2, SLE-15, and ALP. Version upgrade request accepted in Factory. SUSE-SU-2023:3016-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1212404 CVE References: CVE-2023-34623 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): jtidy-8.0-150000.4.3.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): jtidy-8.0-150000.4.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): jtidy-8.0-150000.4.3.1 SUSE CaaS Platform 4.0 (src): jtidy-8.0-150000.4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:3165-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1212404 CVE References: CVE-2023-34623 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): jtidy-8.0-27.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:3164-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1212404 CVE References: CVE-2023-34623 Sources used: openSUSE Leap 15.5 (src): jtidy-8.0-150200.11.7.1 Development Tools Module 15-SP4 (src): jtidy-8.0-150200.11.7.1 Development Tools Module 15-SP5 (src): jtidy-8.0-150200.11.7.1 SUSE Linux Enterprise Real Time 15 SP3 (src): jtidy-8.0-150200.11.7.1 openSUSE Leap 15.4 (src): jtidy-8.0-150200.11.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |