|
|
Log in / Subscribe / Register

Debian alert DLA-4333-1 (php-horde-css-parser)



From:
              Andreas Henriksson <andreas@fatal.se>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 4333-1] php-horde-css-parser security update


Date:
              Tue, 14 Oct 2025 18:52:05 +0200


Message-ID:
              <wx7v4c6rgkeimb6bry4y6z7phmqtkvytssne237sgulpdord42@qz5p3ou6exip>


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4333-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Andreas Henriksson
October 14, 2025                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : php-horde-css-parser
Version        : 1.0.11-8+deb11u1
CVE ID         : CVE-2020-13756
Debian Bug     : 

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data,
possibly leading to remote code execution if the function allSelectors() or
getSelectorsBySpecificity() is called with input from an attacker.

The php-horde-css-parser bundles the Sabberworm PHP CSS Parser code and
is thus also vulnerable.

For Debian 11 bullseye, this problem has been fixed in version
1.0.11-8+deb11u1.

We recommend that you upgrade your php-horde-css-parser packages.

For the detailed security status of php-horde-css-parser please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-horde-css...

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmjuf7IACgkQC8R9xk0T
Uwajeg/+Njt/hSOrAJoeA4Tunyf4ieEXQHF/JSw6+isnm0sJrX6T4wYLtnzL43N6
3ZwjtGvudWzcC6cH6LCoWO3EaU3OBs69EI+lCZLgnLS7scpaVx5fPDnWmW/f4vJf
sQRf/0h5qcA08T0NUfa3FZGBr4qFSZsuku6TCVQ97YWtADZANr6N6JydqOIgeXzb
WJdZ5rp5EiQp/YwYM5ToU68SWphmtjeoGvmJGVyfYEs4qkRPjjPzTb3WrURRXJEv
xjsRtlc89EdCm7rbPwmtOhugWs90eJbZOokKkohosewiP78fe6jqhxw0jtQw9bmd
8cAhbrSNXy/HqXcZPj00yaR+yIIvafL/sPdzVlx1vuZ9yykAmGpfUDZz69Oh7Wn3
kavPJQCq0a0KVZlRPutRjfrWjcNQ/neoKv6f2JRB2cPSvY9Mu6vLwXbD5n+hp2z4
ZebKSmr7lskxAVzdZ0Uf8fT21CATDV3o9Nvhc5kwwULRUuh0jQAWi1wR00hrRFdO
8fj99eZ1LsGOj5vqo3o6YhdJAaRv4/HheVCW3KJyAre3c7R6nutHQZQWXSyssDMY
pTuxLT9P+CCIdrBy7AnqquEy4sO7kW6eP3k0ASuDU/V6xL1wUJcWxoYDIT8M031J
N4j4y4wW2Lc1CKHO9O3EGKTgvX0HQPFhfEtZk8bL/QaQZzodIdE=
=hbKm
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds