- From: Yves Lafon <ylafon@w3.org>
- Date: Fri, 24 Nov 2023 14:39:05 +0100
- To: Phani Kumar Kavuri <pkavuri@progress.com>
- Cc: "www-validator-css@w3.org" <www-validator-css@w3.org>, Amith Lambu <alambu@progress.com>, Kiran Babu <Kiranb@progress.com>
> On 22 Nov 2023, at 14:39, Phani Kumar Kavuri <pkavuri@progress.com> wrote:
>
> We, at Progress, use the latest CSS validator for one of the products for validating CSS. Our security scans have been reporting issues with common-text-1.9.jar which is used by CSS-Validator.
> https://github.com/w3c/css-validator/releases/tag/cssval-20220105
> Release cssval-20220105 · w3c/css-validator
> Updated dependencies + build options + specs updates
> github.com
>
> The following critical vulnerability with CVSS Score 9.8 is reported on Common-text-1.9.jar. Are there any plans to update CSS validator with Common-text-1.10.jar and made available?
>
> CVE-2022-42889 | CWE-94
> Arbitrary Code Execution: Apache Commons Text is vulnerable to arbitrary code execution. The vulnerability exists in the `lookup` module due to insecure interpolation defaults when untrusted configuration values are used which allows an attacker to inject arbitrary code into the system.
>
> Will appreciate a quick response.
Hi,
Fixed and check dependencies, and as you are using releases, I pushed a new release as it contains also other bug fixes in the handling of CSS.
See
https://github.com/w3c/css-validator/releases/tag/cssval-20231124
Cheers,
--
Baroula que barouleras, au tiéu toujou t'entourneras.
~~Yves
Received on Friday, 24 November 2023 13:39:20 UTC