Your message dated Sat, 03 Apr 2021 16:18:30 +0000 with message-id <e1lsiyk-0002c1...@fasolo.debian.org> and subject line Bug#985569: fixed in ruby-kramdown 2.3.0-5 has caused the Debian Bug report #985569, regarding ruby-kramdown: CVE-2021-28834 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985569: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985569 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-kramdown Version: 2.3.0-4 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/gettalong/kramdown/pull/708 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for ruby-kramdown. CVE-2021-28834[0]: | Kramdown before 2.3.1 does not restrict Rouge formatters to the | Rouge::Formatters namespace, and thus arbitrary classes can be | instantiated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-28834 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28834 [1] https://github.com/gettalong/kramdown/pull/708 [2] https://github.com/gettalong/kramdown/commit/d6a1cbcb2caa2f8a70927f176070d126b2422760 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1941044 [4] https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-kramdown Source-Version: 2.3.0-5 Done: Antonio Terceiro <terce...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-kramdown, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro <terce...@debian.org> (supplier of updated ruby-kramdown package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 03 Apr 2021 10:39:28 -0300 Source: ruby-kramdown Architecture: source Version: 2.3.0-5 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Antonio Terceiro <terce...@debian.org> Closes: 985569 Changes: ruby-kramdown (2.3.0-5) unstable; urgency=medium . * Team upload. * Add upstream patch to fix arbitrary code execution vulnerability [CVE-2021-28834] (Closes: #985569) Checksums-Sha1: cc6f32f7343944e87428e5bbf05d3d51367a7570 2246 ruby-kramdown_2.3.0-5.dsc 19444f84511472c356f9dcbd23fe52e9f3d7cb2d 6232 ruby-kramdown_2.3.0-5.debian.tar.xz 69ab98fd563e477dae9c6e77d7d1f5cd9444c25f 11091 ruby-kramdown_2.3.0-5_amd64.buildinfo Checksums-Sha256: 2edcd5e445413a52c8f9008dffed01801636858577ae2cbf743b4cbe9876cf09 2246 ruby-kramdown_2.3.0-5.dsc 52f46ed89d839e082ea18e8d5b9addaec9ca99dd6640d6f63cc35b9368b0af11 6232 ruby-kramdown_2.3.0-5.debian.tar.xz 67d4c2926acba25991b18a19c4a04fba58d843fed8be78d1349f19e7f66cfb5a 11091 ruby-kramdown_2.3.0-5_amd64.buildinfo Files: c916825c632e0a876d5d646d7dd80f03 2246 ruby optional ruby-kramdown_2.3.0-5.dsc 086f0901ff737fb42977b39e7cec8d8d 6232 ruby optional ruby-kramdown_2.3.0-5.debian.tar.xz 3d6d9117b02bbd86a94122361211414a 11091 ruby optional ruby-kramdown_2.3.0-5_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmBokQ8ACgkQ/A2xu81G C97SzQ//RRnTWPtyBIdKZVnFu8Xkjnz7o01FvCPOELgcyOU3F+QIMnrbrQ8Mj3hj CP/jGuDHE3rsvlzhutBrtJ6cUTXhSBah9LVM/LS2TVPFZCy10JIPQfEBToCLS51P Fn+7rs4kiKUZ4r21Giv4Ru2Im/ZGONbSLAjfonfdXvMhubo5nC1RY3m5J1WRQBBf 53VXc7Uz5u23TRd0Id/1axgZ6Gjl4Ab5Pwvnwm7CXx3KXgIupw/YD0uelYJjolNd bZifKtMY/G45A93s/3i9S3FNIwe0HxxJ31fj+p4F8F2cSfiJr9hTFzMjfpL7wCbA a8Mrtw6wTqrG+jpVVl9IqpbGBzLpun050St432BYvaJgcwbXf0s53OYdiotQPDGB NntTqEPNaBo0YUvU6K3IcfVI8aFe7ZLvLHTTmRJB5/6MrCw8RI21u1E3440OIGwj YnJ69oTG1y9LBuIR6lH3QOoqcOrMVxfgPXF1vPyUgomg/h5Vc5O/PS7r1NVpecLU 81ePxPQkI5FiOiQImW87Zn3abj8YdksHxQXOQ0RlHiYE/H8LkR/mOOlCdR+pWzAn 4k4U7Mr2abQ8qjIGcqa+VbszIPo29vys1aXZR2lhNa53lLaKZfGMhFQyXliQUNX0 8QfmfIwIvQ1/5McsYe+O9cytOoicWV6WOmo+AFsbIYVJGMCEl0A= =X7z1 -----END PGP SIGNATURE-----
--- End Message ---
