Your message dated Tue, 13 Apr 2021 13:47:16 +0000 with message-id <e1lwjns-0005fq...@fasolo.debian.org> and subject line Bug#985569: fixed in ruby-kramdown 1.17.0-1+deb10u2 has caused the Debian Bug report #985569, regarding ruby-kramdown: CVE-2021-28834 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985569: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985569 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-kramdown Version: 2.3.0-4 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/gettalong/kramdown/pull/708 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for ruby-kramdown. CVE-2021-28834[0]: | Kramdown before 2.3.1 does not restrict Rouge formatters to the | Rouge::Formatters namespace, and thus arbitrary classes can be | instantiated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-28834 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28834 [1] https://github.com/gettalong/kramdown/pull/708 [2] https://github.com/gettalong/kramdown/commit/d6a1cbcb2caa2f8a70927f176070d126b2422760 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1941044 [4] https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-kramdown Source-Version: 1.17.0-1+deb10u2 Done: Antonio Terceiro <terce...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-kramdown, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro <terce...@debian.org> (supplier of updated ruby-kramdown package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 03 Apr 2021 13:05:12 -0300 Source: ruby-kramdown Architecture: source Version: 1.17.0-1+deb10u2 Distribution: buster-security Urgency: high Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Antonio Terceiro <terce...@debian.org> Closes: 985569 Changes: ruby-kramdown (1.17.0-1+deb10u2) buster-security; urgency=high . * Team upload. * Add upstream patch to fix arbitrary code execution vulnerability [CVE-2021-28834] (Closes: #985569) Checksums-Sha1: a026ebd36a80ba7737b7067ac2390b79cecaed41 2264 ruby-kramdown_1.17.0-1+deb10u2.dsc c136dcdceda43fca8b554838e11b9cd7f9de44c8 6460 ruby-kramdown_1.17.0-1+deb10u2.debian.tar.xz c46779431a3d61a8e00f27ced966756a62385988 12267 ruby-kramdown_1.17.0-1+deb10u2_amd64.buildinfo Checksums-Sha256: 9d6c163df3b59b112356d35d4db94999a285f7e89f6bd5ffc713b8518caec700 2264 ruby-kramdown_1.17.0-1+deb10u2.dsc 948707c868f2303bae50bb25e8bb52e36c86273ad071e05ba093a298223729df 6460 ruby-kramdown_1.17.0-1+deb10u2.debian.tar.xz 9e8c1dba870e6c550e7bbe1657324e2fb9cc17fa89153b00e2b1a96918275e7d 12267 ruby-kramdown_1.17.0-1+deb10u2_amd64.buildinfo Files: f2cebc43fb434da44f337f15f9111b79 2264 ruby optional ruby-kramdown_1.17.0-1+deb10u2.dsc 4206b2003209fb1e11e77bd54396a96a 6460 ruby optional ruby-kramdown_1.17.0-1+deb10u2.debian.tar.xz a37c887e1bf07e98c8a11a3ea957c2c3 12267 ruby optional ruby-kramdown_1.17.0-1+deb10u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmBxrL4ACgkQ/A2xu81G C95QfxAAgx4un0+FvZrlxNE2bcgUlXoysvGVmxKmSTSf7gmcGJlMzFj5IDOLGF2m 3k/nmkprS7TQd2O+R/l5//7D+JLRbMFAQRxtxCdC+Hhx7jqOitF9l74b9W+HlTcQ miBqKimFhZ/rm/wvmzOqVnSU372I41PH6HN73VxqYH/JF+Lc558nFHTroqLXVyla ligdiPeMrP7uCAFt8JbGukwzKHjkMAkqDXjah2nxhesZ1rAF9GlXk8aHuBHH0Lh2 JtlUZ+PxnYvuMN811VTkEGfgjzMMgEM3iFE8dHgic5TG10UoucnDWYFrBgkkJNxs 4F6+ZQ1CkOe2zd954+Axer9NkWzcUjk6sKIU4Hl3gw9eOMb/EaTIndrrWyoJ9pBx +DGLK8FLBv/8S1TKYjUB9oQ/3INbNIratUmyO7oan87uV9vlfkZPkvQoUGdoLAbz 8aUqS1NARp9//5F9SETqX3C07RaIt7hvUvfOU2aQbpLLcjCeeLaEWER/GgxKtLJA kGrcrEvZSaxsMNnXiyK0l681seYLR3GgZZ/DFObD66Tx5OY8BuMhGAYtz5r/lU24 hu5XlXBDXcC/SZ/BsKKB9vDx4D06g3NJvH8M97FDbPO4bmmGNOr5lTx8O6fjd4xF 4wMEfyI/3LMje12R57eihxfa5oZHj4JIGZGyISqt+qdYlmmYIHA= =FiXP -----END PGP SIGNATURE-----
--- End Message ---
