Your message dated Thu, 23 Jul 2020 20:44:12 +0000 with message-id <e1jyi4a-0006um...@fasolo.debian.org> and subject line Bug#963808: fixed in ruby-sanitize 4.6.6-2.1~deb10u1 has caused the Debian Bug report #963808, regarding ruby-sanitize: CVE-2020-4054: HTML sanitization bypass in Sanitize to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 963808: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963808 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-sanitize Version: 4.6.6-2 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for ruby-sanitize. CVE-2020-4054[0]: | In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less | than 5.2.1, there is a cross-site scripting vulnerability. When HTML | is sanitized using Sanitize's "relaxed" config, or a custom config | that allows certain elements, some content in a math or svg element | may not be sanitized correctly even if math and svg are not in the | allowlist. You are likely to be vulnerable to this issue if you use | Sanitize's relaxed config or a custom config that allows one or more | of the following HTML elements: iframe, math, noembed, noframes, | noscript, plaintext, script, style, svg, xmp. Using carefully crafted | input, an attacker may be able to sneak arbitrary HTML through | Sanitize, potentially resulting in XSS (cross-site scripting) or other | undesired behavior when that HTML is rendered in a browser. This has | been fixed in 5.2.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-4054 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4054 [1] https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m [2] https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-sanitize Source-Version: 4.6.6-2.1~deb10u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-sanitize, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 963...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated ruby-sanitize package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 18 Jul 2020 21:11:58 +0200 Source: ruby-sanitize Architecture: source Version: 4.6.6-2.1~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 963808 Changes: ruby-sanitize (4.6.6-2.1~deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for buster-security . ruby-sanitize (4.6.6-2.1) unstable; urgency=medium . * Non-maintainer upload. * fix: Don't treat :remove_contents as `true` when it's an Array * feat: Remove useless filtered element content by default * Fix sanitization bypass in HTML foreign content (CVE-2020-4054) (Closes: #963808) Checksums-Sha1: 772273b36cb7d3d78ee631b055ebc43791d6e790 2330 ruby-sanitize_4.6.6-2.1~deb10u1.dsc e660c44ac13c945d43598eaf3a6f4f68c0b472ec 40115 ruby-sanitize_4.6.6.orig.tar.gz a517ab73882ea7b83d28332b8456d4360eadebb5 7544 ruby-sanitize_4.6.6-2.1~deb10u1.debian.tar.xz ef1cafe55724a0534b70fc6729cef180ebdfb39c 7210 ruby-sanitize_4.6.6-2.1~deb10u1_source.buildinfo Checksums-Sha256: ce8d93ebff76b7c9c78d033a97d197e809985a671886259f5ccd01ce2152096b 2330 ruby-sanitize_4.6.6-2.1~deb10u1.dsc 5d5b72076d13b731638e6189a83988237a47ab4d8ce6bfa5aded31ec0f333238 40115 ruby-sanitize_4.6.6.orig.tar.gz 9fdecb0203bcf3eddfb8a40c010e4025458821fca4e66f31779dd25b3ad3b94a 7544 ruby-sanitize_4.6.6-2.1~deb10u1.debian.tar.xz 5d26c6dcf630ff9e4d5ae62c8d267155e5a605fa43ead3cc1c8994c8e2840864 7210 ruby-sanitize_4.6.6-2.1~deb10u1_source.buildinfo Files: b3c812b64b39fb5f586d41ef59724652 2330 ruby optional ruby-sanitize_4.6.6-2.1~deb10u1.dsc aa34226fdbfd69430ae83aabbb8d894a 40115 ruby optional ruby-sanitize_4.6.6.orig.tar.gz 0a92404b1cd28519c525de9ad4b3e8ee 7544 ruby optional ruby-sanitize_4.6.6-2.1~deb10u1.debian.tar.xz 06972bf224c633df58d9a10fe3848ea0 7210 ruby optional ruby-sanitize_4.6.6-2.1~deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl8TSeVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EuBIP/j2+xttQ4KzuB5S4gmtpoHeEp+WUwiRU 9AZMZCz57bb1UI2IoTG0d6wIktUHUDrGaSkNlEsSthl8iZpyp8HHfYopWJkFD+rZ BbmCqO7coFXe65fqhbxMpIr9CDjNVuEkeH5WQAfcKNpSJoLMbzViY1kHvF0Veq/r qiVle/aICCzLWVJpthkzfPv+5vfF679c/H9zZcqsTEdXRsQ20BearRH4MX98cQCe BBkLRFcmwf9dM91LANy9zgAH9N+CxLt6KymQtfxPnu2HwOyUuQXPS1woutEADzXt IiSZhCUrCgQNJLE1uEG58hcNs7nq90BwO2lZG1zfbjuW5lFABIFLxrN9KTy6pfdf BU0ZqdNOcD4/omjpjyJBudJ3uKAmp5qnmICj/PUrwQmYlcIrWlmzvBKjhumF7ftA YNnIirdDbQ3VDjG4vIG76dRV5d3qrNR8fH3czAzqJyfFl1kAm77zMjBY+dFzS7vc IHm2tYYY7f0kcVnYLoptdNFQ53EJcLPf9RTnfITU2csfyTJ6DRQM4znT/pb3mbAU YaUpWT/Ys9rNP0jVqh7veeNCt+0RU9nHbM9lf0aG1DsSrkbYB7xP3js3h95A2izw ZGHtc3xmS1QeXlzN8KcjXLnA63NCh7+YKc2Z3ZB2BsG5YHiTwUs8fqqFUCxaKcqj 4mf0OcOmJgc/ =rhQc -----END PGP SIGNATURE-----
--- End Message ---
