-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2864-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta December 29, 2021 https://wiki.debian.org/LTS - -----------------------------------------------------------------------
Package : ruby-haml Version : 4.0.7-1+deb9u1 CVE ID : CVE-2017-1002201 In ruby-haml, which is an elegant, structured XHTML/XML templating engine, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code. For Debian 9 stretch, this problem has been fixed in version 4.0.7-1+deb9u1. We recommend that you upgrade your ruby-haml packages. For the detailed security status of ruby-haml please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-haml Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmHMV7wACgkQgj6WdgbD S5aZahAA5FgLwauhjXH8pr1qNJTSUbgYp65eslNFTenwKFizGqa+kuc1/LU+FddU pl4cm+9OtxlfKGw5C2Wy7Qz6cLkzi23BB3qeM+iua9tHBfeOS9OHF3rkFD2TiWh1 FnpCTV0mt+HsTjuUZBtG+jjMfsmTYMIT/RIrLuLnd8oxcGbSCvceOo6MU1+x5E0x VVICmDuV6bXzmOSrdLE4AS4c87Tm2G2vYiYtQ63dyBPaEiKlBTve50Bw+O7uTxRs MYbShjKL8izNLx1ityLivYi0GztGZic9I+zRopROiudIxvkTuN/8URadRKDsyvOG 5U6miEPpCgehWGtP5GkcBsr5ZGCax4i7nigmQi/7bRUu3RaMl5iEWqqTGZgQErzE EgXDGEc41Yzrw9jQmFZ+LmZoU4alE1JjMFlcC5pQnq61EFoBbj8orgigVh2n2sqe eLoSuvOfCm1U1xbjzJbAKlIJxITWDjWYO5k+vIp/P2947MOewgVwaGpZSl0AexYw 9aMXb9A1PSjdAsbj5WikkWbfcJm4IxF3daGZVGjwBMixZlmSdah1RvGU5qlTlRkr 8uGr8LAyFxeTjZyS/k8O/Cwe520YMUYBgX+XNtUKRhJRqg4V4vfVg6kyQbvTnOgn YcdmHW2iSCHffFBS29es1mVSfiwpsmRNa5COy+/k4lJZwo+Wh/A= =kFM8 -----END PGP SIGNATURE-----
