Your message dated Wed, 15 Jul 2020 20:40:50 +0000 with message-id <e1jvocw-000iqb...@fasolo.debian.org> and subject line Bug#963808: fixed in ruby-sanitize 4.6.6-2.1 has caused the Debian Bug report #963808, regarding ruby-sanitize: CVE-2020-4054: HTML sanitization bypass in Sanitize to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 963808: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963808 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-sanitize Version: 4.6.6-2 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for ruby-sanitize. CVE-2020-4054[0]: | In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less | than 5.2.1, there is a cross-site scripting vulnerability. When HTML | is sanitized using Sanitize's "relaxed" config, or a custom config | that allows certain elements, some content in a math or svg element | may not be sanitized correctly even if math and svg are not in the | allowlist. You are likely to be vulnerable to this issue if you use | Sanitize's relaxed config or a custom config that allows one or more | of the following HTML elements: iframe, math, noembed, noframes, | noscript, plaintext, script, style, svg, xmp. Using carefully crafted | input, an attacker may be able to sneak arbitrary HTML through | Sanitize, potentially resulting in XSS (cross-site scripting) or other | undesired behavior when that HTML is rendered in a browser. This has | been fixed in 5.2.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-4054 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4054 [1] https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m [2] https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-sanitize Source-Version: 4.6.6-2.1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-sanitize, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 963...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated ruby-sanitize package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 12 Jul 2020 15:02:54 +0200 Source: ruby-sanitize Architecture: source Version: 4.6.6-2.1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 963808 Changes: ruby-sanitize (4.6.6-2.1) unstable; urgency=medium . * Non-maintainer upload. * fix: Don't treat :remove_contents as `true` when it's an Array * feat: Remove useless filtered element content by default * Fix sanitization bypass in HTML foreign content (CVE-2020-4054) (Closes: #963808) Checksums-Sha1: 8582b93426faf2d90f4160e06afae90d597bf448 2298 ruby-sanitize_4.6.6-2.1.dsc 9758396904eb64a50c00d95cdacb051926675d25 7484 ruby-sanitize_4.6.6-2.1.debian.tar.xz 7e3a5285a51d66a6fee96a94b3ccf89ce6ef5c7b 7239 ruby-sanitize_4.6.6-2.1_source.buildinfo Checksums-Sha256: f20d0a27b4d330eb5f38f333a20fa2bfee63c58a65c7574dd92133dda56d6567 2298 ruby-sanitize_4.6.6-2.1.dsc 6d3534b5629eece6ebd3ae73df46050d30dae7cf35bddc3c589cd902131239e3 7484 ruby-sanitize_4.6.6-2.1.debian.tar.xz d558ad725df7d42232aa1bb77409d2a260cfad3bc589e789a523661a163a09cf 7239 ruby-sanitize_4.6.6-2.1_source.buildinfo Files: 680cb8fbe6736f844b48f0af1f66543a 2298 ruby optional ruby-sanitize_4.6.6-2.1.dsc 196d9df60995ebcc04b50b99aa94c74b 7484 ruby optional ruby-sanitize_4.6.6-2.1.debian.tar.xz d4379c541e08a08915291f158fa10868 7239 ruby optional ruby-sanitize_4.6.6-2.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl8MvrNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ERHMP/3AYP/aJOeg/iUtB0xb79cHHlosIHqXQ JGydHKTWGXVB3tFPI2WwegVVfnBeAgMwcdJTihKhenXKxs3FZMzmn7cJVDclFC+t VLsGdN5zPsEZGoIbhK8se9pPANmi2B2Ac9L1XydKUW2HOxyx8A8X2fNmHmwUHrM3 Meh5Ketsz73qxdcuxFAisKDV6GS155D6pgb5C0wR5redY4G3niYct90OX8RNsiA0 y0U/O6DnDsv6p61g68R/nq9Led8DTYZIUuOeMVD1AuARinwWfJ+vdk8vuwB2mLf4 BrPRZ9SObzV9AnL5M79soxIuK1oggKXsvDYFRcY8ua9UBLsQBGLfnjSBD13m4+wA 6ImJe/WLzP5DV1+IBYTfELdr6g3heouADclnll8SUr4gPdYyWKX2ED3NCJYWY2W4 cgtkGasTZRPcmokD2hH5N072hDxF10na595zdrTPqpAMhF/yarc+16Hq2cSZRE9N nJ/V9TbYbCV/vCEBxgTx+FdeUHv24eV50475Spsb6o7ILtgrUCYFhDdBCT9b90NA iRyYf1LNq5xDfm/NmiwN1ZxyCMd+p66iY7lvUPt3iFxv5TNDNiMSsc4PGw2Bj/y2 wyp5hiGqlQxaJGzbcUtW5QGcA65p+NHnrDsSooQAkLjL6D7xbPzYcSmuw/d2l8z0 xJRlvTuDT2jo =9t3U -----END PGP SIGNATURE-----
--- End Message ---
