Bugzilla – Bug 1212404
VUL-0: CVE-2023-34623: jtidy: denial of service via crafted object that uses cyclic dependencies
Last modified: 2023-08-02 12:30:07 UTC
CVE-2023-34623 An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34623 https://bugzilla.redhat.com/show_bug.cgi?id=2215234 https://www.cve.org/CVERecord?id=CVE-2023-34623 https://github.com/trajano/jtidy/issues/4
The issue has been created in the jtidy fork trajano/jtidy as far as I understand, but that might also affect sourceforge jtidy
Tracking jtidy as affected: - SUSE:SLE-12:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15:Update - SUSE:ALP:Source:Standard:1.0 Upstream project looks dead, not sure maintainers will provide a fix
Hi Stoyan and Gus, The following two commits fix the issue: * https://github.com/jtidy/jtidy/commit/fc011d34ea3f2cb1395e8443154b31f690466b19 * https://github.com/jtidy/jtidy/commit/67a39369b6f9837a4273d0315b0c5ac7e7eb2905 I didn't evaluate how much effort is to fix all codestreams, but let me know if you need help Gus.
Created a patch based on fix from github project jtidy/jtidy. Submitted change requests for SLE-12, SLE-12-SP2, SLE-15, and ALP. Submitted request in Factory repo to replace existing upstream with github project jtidy/jtidy. Discussion of the latter is ongoing. Aforementioned patch fixes were all accepted.
Patch change requests accepted in SLE-12, SLE-12-SP2, SLE-15, and ALP. Version upgrade request accepted in Factory.
SUSE-SU-2023:3016-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1212404 CVE References: CVE-2023-34623 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): jtidy-8.0-150000.4.3.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): jtidy-8.0-150000.4.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): jtidy-8.0-150000.4.3.1 SUSE CaaS Platform 4.0 (src): jtidy-8.0-150000.4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3165-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1212404 CVE References: CVE-2023-34623 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): jtidy-8.0-27.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3164-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1212404 CVE References: CVE-2023-34623 Sources used: openSUSE Leap 15.5 (src): jtidy-8.0-150200.11.7.1 Development Tools Module 15-SP4 (src): jtidy-8.0-150200.11.7.1 Development Tools Module 15-SP5 (src): jtidy-8.0-150200.11.7.1 SUSE Linux Enterprise Real Time 15 SP3 (src): jtidy-8.0-150200.11.7.1 openSUSE Leap 15.4 (src): jtidy-8.0-150200.11.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.