Fix links with extra trailing characters (Closes: #994897) (!234) · Merge requests · Debian Security Tracker / security-tracker

Sylvain Beucler requested to merge beuc/security-tracker:994897-fix-url-links into master Jul 12, 2025

Proper URL validation is pretty complex, so we're only adding an heuristic against common issues (sentence-closing period or parenthesis without space right after an URL).

Examples:

CVE-2019-11841: "See https://github.com/golang/go/issues/41200."
CVE-2025-3576: "(cf. https://web.mit.edu/kerberos/krb5-1.21/)"
CVE-2024-36462: "in https://github.com/.../036f3e14be3, first"
CVE-2024-27280: "bugfix for https://bugs.ruby-lang.org/issues/19389:"
CVE-2009-0676: "in https://bugzilla.redhat.com/show_bug.cgi?id=486305"

False-positives analysis:

'.,:' technically valid in URLs, but no valid occurrences in the tracker;
')>' should be URL-encoded in the non-hostname part of the URL.

Fix links with extra trailing characters (Closes: #994897)

Merge request reports