Your message dated Tue, 21 Jul 2020 19:18:45 +0000
with message-id <e1jxxmn-0008qc...@fasolo.debian.org>
and subject line Bug#965305: fixed in ruby-kramdown 2.3.0-1
has caused the Debian Bug report #965305,
regarding ruby-kramdown: CVE-2020-14001
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
965305: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965305
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-kramdown
Version: 1.17.0-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Control: found -1 1.17.0-1
Hi,
The following vulnerability was published for ruby-kramdown.
CVE-2020-14001[0]:
| The kramdown gem before 2.3.0 for Ruby processes the template option
| inside Kramdown documents by default, which allows unintended read
| access (such as template="/etc/passwd") or unintended embedded Ruby
| code execution (such as a string that begins with
| template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab
| Pages, GitHub Pages, and Thredded Forum.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-14001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001
[1]
https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-kramdown
Source-Version: 2.3.0-1
Done: Pirate Praveen <prav...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-kramdown, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 965...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <prav...@debian.org> (supplier of updated ruby-kramdown package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 21 Jul 2020 21:02:27 +0530
Source: ruby-kramdown
Architecture: source
Version: 2.3.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Pirate Praveen <prav...@debian.org>
Closes: 965305
Changes:
ruby-kramdown (2.3.0-1) experimental; urgency=medium
.
* Team upload.
* New upstream version 2.3.0 (Closes: #965305) (Fixes: CVE-2020-14001)
* Bump Standards-Version to 4.5.0 (no changes needed)
* Drop patches not needed anymore
Checksums-Sha1:
d38fc9e1471d683317788c34b9d7f349d7e914a6 2278 ruby-kramdown_2.3.0-1.dsc
5c77c487286e187af5f537aa88364206f9019703 123436 ruby-kramdown_2.3.0.orig.tar.gz
7350240f082a15f26074e200a048ba8bcc8cd8ff 5116
ruby-kramdown_2.3.0-1.debian.tar.xz
6fd3552aacadbe198e8751a58ae4f51f816ce74e 10830
ruby-kramdown_2.3.0-1_amd64.buildinfo
Checksums-Sha256:
404fcb072529131f368067d625a0b54e993f707244c9d1440b2d745a3e7d0176 2278
ruby-kramdown_2.3.0-1.dsc
dd56cd8ee1656ffb5d5fd90ce8f4f5b7f4d4a78cf6ef57b16cfc96416086a12f 123436
ruby-kramdown_2.3.0.orig.tar.gz
2e608f1c1953f281990653eef54eea5f386aaa8362f16ffbc55f81705ca0ced0 5116
ruby-kramdown_2.3.0-1.debian.tar.xz
ff4b42c987262a8aa292418b71a5272defc9af00ae6d6042f95e96f5dfa40d5a 10830
ruby-kramdown_2.3.0-1_amd64.buildinfo
Files:
39edcd7f2977858cfdae82eef4969a2b 2278 ruby optional ruby-kramdown_2.3.0-1.dsc
5825e6e7b3a50704de27573c18d60492 123436 ruby optional
ruby-kramdown_2.3.0.orig.tar.gz
60937dfaed9546645a7221eda121d59d 5116 ruby optional
ruby-kramdown_2.3.0-1.debian.tar.xz
95e76ecdba31c7825e0214739e9da2f8 10830 ruby optional
ruby-kramdown_2.3.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAl8XPMQACgkQj1PgGTsp
S3WG0g//QkFb7gWVZ8GSE3xhmei9Cd2K0gw6PFlZ4qv4IkkY/m7wdQaTQKRs7HdG
PNzdwsdQAiuIJqJ534v8gYaSuFtkkCydBCMwyYCu8XYNNtE2tcNhgDhH1hPoYKqO
GqlGdEMwt2f2Y8nzIQWWUP0kZoXPyh/7A8rD5dC5oBT6lZFda83k7f7BRD9Lq317
ckGi9zH+Iwx1DeFWVDqxYCcLe+Z28wPyHlfSnR4YSUhjOKRbLHzstNwjUlN4Qs4f
/CEYh+p9WAPOF0GwWXekemJA0PC/VHWPofVhm5y6Ko1CRUIZQOGAwWULX+zNjqMX
vIVnjtAPbjiddzeevNhfjPdMR/dB8BR4Czl0CgS5TzQH5MSElISRHWAsTz68NP18
zRMgpLigL7lprsINmBmhilKloc5BLfV/0+NoEufDMpG5o6ZV2Z5PPljwur2XS70z
MYz8sBPxfY06v2VCqFbdrsLfW8Ptf6Ol15E4Sk9VguPoorBYtT65991qBqfQ7PIv
ujxc58X0c6a5E/SNandA9rQESmslgZLcS/nqAE1zZrURuXP7dinWXt9dT4n3ez+r
6w8+TdIoBZnbx3uLuN9/jWBrBcvCMgW5DREGbj0SW7/NWELAx3ipf0kJ8PWvoMrZ
4LGeKkQ4MkwID8czTATQiaC+usgAscNG9dEe9JQayb5r/Wm6TLo=
=b8Fd
-----END PGP SIGNATURE-----
--- End Message ---
