Debian Bug report logs -
#980057
ruby-redcarpet: CVE-2020-26298
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 13 Jan 2021 15:51:01 UTC
Severity: grave
Tags: security, upstream
Found in versions ruby-redcarpet/3.4.0-4, ruby-redcarpet/3.5.0-2
Fixed in versions ruby-redcarpet/3.5.1-1, ruby-redcarpet/3.4.0-4+deb10u1
Done: Utkarsh Gupta <utkarsh@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#980057; Package src:ruby-redcarpet.
(Wed, 13 Jan 2021 15:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Wed, 13 Jan 2021 15:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-redcarpet
Version: 3.5.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for ruby-redcarpet.
CVE-2020-26298[0]:
| Redcarpet is a Ruby library for Markdown processing. In Redcarpet
| before version 3.5.1, there is an injection vulnerability which can
| enable a cross-site scripting attack. In affected versions no HTML
| escaping was being performed when processing quotes. This applies even
| when the `:escape_html` option was being used. This is fixed in
| version 3.5.1 by the referenced commit.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-26298
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26298
[1] https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
[2] https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Lucas Nussbaum <lucas@debian.org>:
You have taken responsibility.
(Wed, 13 Jan 2021 21:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 13 Jan 2021 21:51:05 GMT) (full text, mbox, link).
Message #10 received at 980057-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-redcarpet
Source-Version: 3.5.1-1
Done: Lucas Nussbaum <lucas@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-redcarpet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 980057@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lucas Nussbaum <lucas@debian.org> (supplier of updated ruby-redcarpet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Jan 2021 21:52:33 +0100
Source: ruby-redcarpet
Architecture: source
Version: 3.5.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Lucas Nussbaum <lucas@debian.org>
Closes: 980057
Changes:
ruby-redcarpet (3.5.1-1) unstable; urgency=medium
.
[ Cédric Boutillier ]
* [ci skip] Update team name
* [ci skip] Add .gitattributes to keep unwanted files out of the
source package
.
[ Debian Janitor ]
* Apply multi-arch hints. + ruby-redcarpet: Add Multi-Arch: same.
.
[ Lucas Nussbaum ]
* New upstream version 3.5.1
+ Fixes CVE-2020-26298. Closes: 980057
* Refresh packaging
+ debhelper compat level 13
+ Standards Version 4.5.1
Checksums-Sha1:
26c062afcf4d470cd4e5fef4cd5bb03ac492d9d2 2181 ruby-redcarpet_3.5.1-1.dsc
ac436c4db4738ba3fdf7f7e3b1cfa42fa26ef6c2 59825 ruby-redcarpet_3.5.1.orig.tar.gz
97624fde5b3597796c6eda9a2d9fae5ecb5706df 4692 ruby-redcarpet_3.5.1-1.debian.tar.xz
03099a8adaa11850b2d6c1236ef7b8eac53996be 9419 ruby-redcarpet_3.5.1-1_amd64.buildinfo
Checksums-Sha256:
0af05202a10f85c52caba7ff83c0b9c87f39653778ffb6a08c929eeda2ed04e1 2181 ruby-redcarpet_3.5.1-1.dsc
384b24cea6b2f46aed73f9ad18460458ea29f80f32c6696c2955b47349e2aefa 59825 ruby-redcarpet_3.5.1.orig.tar.gz
b73267650492a8d5f1a6532c15b4d17b6a8b1d9ecb6b183d08ac100f10cef927 4692 ruby-redcarpet_3.5.1-1.debian.tar.xz
204605b8ab2d64cd676f30acf6f8596dc0fe8ff2b2266351ed9413c1d997bf91 9419 ruby-redcarpet_3.5.1-1_amd64.buildinfo
Files:
f7f19ab1be097967bd162ae31f2aea82 2181 ruby optional ruby-redcarpet_3.5.1-1.dsc
2abee320c5ac0c22a2322071890745b3 59825 ruby optional ruby-redcarpet_3.5.1.orig.tar.gz
ca1d354b6ca141b0740412a19123df9f 4692 ruby optional ruby-redcarpet_3.5.1-1.debian.tar.xz
92addb6b62817d9368f5f01bbc04d646 9419 ruby optional ruby-redcarpet_3.5.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/t7ByzN7z1CfQ8IkORS1MvTfvpkFAl//ZiwACgkQORS1MvTf
vpleGxAAntSuntuUMVWX/zcwzo4fNbZhhVbW1mZ4j/TXlIoGS8Aij6RDT6AgWqR3
Ew5EVoGrwUw5BnFoEckw0DN37cNkmHpvzl4rm+E3A8T/8bxjLJW5aXzABFyBvMTD
X3svaKHpTn17VIpYqq1zw7Ij2lGYDGWx82Zwwdve3K4X10ows9q4JoxX6lsl/tPw
ji4FiFDaFq4G5f6WD7E2jJ6i2SOwFx+uRMbbPQdcK4pYLk7QTOuO7Aah3XD/5QxI
kK2GmrgGGJuiw1DoqenZEruwEp5W9otHInZ7yBnXu/U92VwIzpIE6l0JiqJZjm1k
gPIgovLqoxpE6DLrk699iipxE6NnqwuYB8IbxIIaIQKs2CGGg8NgnQ5hPOmGpj7s
L9I7Or5x0WjGngr+NALI9n/OfO9NY2BD/vG1aU2P3MMglCsxD7HtmZ0W+gmANMny
/F7J1oCc6uGxd4b0JHgh2WDA+Gf3wiHNZIPKRz/gETXM+3QcxYItCrHwXX1hOHNj
ud5+Iz/xygeFJ7dMzDGSt2nuNwg7+qjM3EXClKhPjUU6/+S/TE1er4sozC7/kSat
nyzSRhZR+NbHA1buGxUSKVq8igIDfqwmzFU9To16ZsizE8fNduGv47S1qHLFwUDg
911QVgfR8QWWJ9MhpXzPwKOAQ/geZOOHJ1XvtcWVPP33FUkG/LM=
=WebO
-----END PGP SIGNATURE-----
Marked as found in versions ruby-redcarpet/3.4.0-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 14 Jan 2021 20:09:05 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 14 Jan 2021 20:09:05 GMT) (full text, mbox, link).
Reply sent
to Utkarsh Gupta <utkarsh@debian.org>:
You have taken responsibility.
(Sat, 16 Jan 2021 19:06:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 16 Jan 2021 19:06:07 GMT) (full text, mbox, link).
Message #19 received at 980057-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-redcarpet
Source-Version: 3.4.0-4+deb10u1
Done: Utkarsh Gupta <utkarsh@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-redcarpet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 980057@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <utkarsh@debian.org> (supplier of updated ruby-redcarpet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 15 Jan 2021 01:32:04 +0530
Source: ruby-redcarpet
Binary: ruby-redcarpet ruby-redcarpet-dbgsym
Architecture: source amd64
Version: 3.4.0-4+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Description:
ruby-redcarpet - Fast, safe and extensible Markdown to (X)HTML parser for Ruby
Closes: 980057
Changes:
ruby-redcarpet (3.4.0-4+deb10u1) buster-security; urgency=high
.
* Fix a security vulnerability using `:quote` in combination with the
`:escape_html` option. (Fixes: CVE-2020-26298) (Closes: #980057)
Checksums-Sha1:
4485875b9583eb45e3d24449ac1d65e0448d70ce 2271 ruby-redcarpet_3.4.0-4+deb10u1.dsc
d42646e282d369d9cc3ff76bc7ac0d756a1c462f 59311 ruby-redcarpet_3.4.0.orig.tar.gz
a047bff36ff16cae501f6781fa44eb3957e0f4b0 5932 ruby-redcarpet_3.4.0-4+deb10u1.debian.tar.xz
848dd551843b08b4e15ff682ff26038dd515db82 112704 ruby-redcarpet-dbgsym_3.4.0-4+deb10u1_amd64.deb
b59760235e2b9ba28c2d9529d9987798878ae4b9 9380 ruby-redcarpet_3.4.0-4+deb10u1_amd64.buildinfo
8f80cbff3efd37b670a97d8a8ca295e13a8567fa 47492 ruby-redcarpet_3.4.0-4+deb10u1_amd64.deb
Checksums-Sha256:
49c3bd705562802da52ecd4fbefcca2d928ecddc98dbe7a54043b35b8bebac6f 2271 ruby-redcarpet_3.4.0-4+deb10u1.dsc
506a854c0e1efce8ab84ea76d668ce529804d288298f4678753a1face221292d 59311 ruby-redcarpet_3.4.0.orig.tar.gz
c4025375dcfbf4849690c487b6551ce713d43eb0e04bc91f3b0dbd529a312eea 5932 ruby-redcarpet_3.4.0-4+deb10u1.debian.tar.xz
d800f78616a3e19d0e3f3551d3a86fe9e285c61e81d4e46c6c2dd40dc97e4a73 112704 ruby-redcarpet-dbgsym_3.4.0-4+deb10u1_amd64.deb
fe204135e16d7fff4f8a5ea001830899c281145c5c4e935e70e75133f0862bc9 9380 ruby-redcarpet_3.4.0-4+deb10u1_amd64.buildinfo
b5055a8c0ad435b080a4b361f1c0fa342a0005703fabeaf8ff2e164887c477cb 47492 ruby-redcarpet_3.4.0-4+deb10u1_amd64.deb
Files:
6f102a33031260493da254fe8fbda53d 2271 ruby optional ruby-redcarpet_3.4.0-4+deb10u1.dsc
ed589b29b2b26c2ae0f0c780af6796f8 59311 ruby optional ruby-redcarpet_3.4.0.orig.tar.gz
b47d6303b5a79a313b01dda0cf0bbb91 5932 ruby optional ruby-redcarpet_3.4.0-4+deb10u1.debian.tar.xz
083c5b08bb5f06d0bd9bf62540305308 112704 debug optional ruby-redcarpet-dbgsym_3.4.0-4+deb10u1_amd64.deb
cee4d806546d04a4f6adb01734b84609 9380 ruby optional ruby-redcarpet_3.4.0-4+deb10u1_amd64.buildinfo
e46e038a88da236623fd6630a214b897 47492 ruby optional ruby-redcarpet_3.4.0-4+deb10u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmAApAwTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlnsqEAC7Me7cFvwYgoa2FIxsioFiNaX6rxYs
S0MONmaiAQSjDgDBFtu4pkiCBTAr4RVUekRfV/uCXzzXlfd8TmIUKxqMmADr8Ro7
E/uGtB/RDskbTUWI9kS1fUMtWOaeC4Zb+eONhGgAY8OUmZCHMr34sPqqfZtnDVUl
FHwuBVs/lDeVSbQLf2DUOo00sKAvZCCdY6snssKjgVPR1Fi7U3ysKy+FLEzO+xkq
n7B76zmRoolTTu3u1HtjifxCTDfTfYnKr5mUIvj3dx8rBbFd+iaGt2/GpJCUTrUo
CumzoifJ0/bAppxM3MdytXiPYtcJfMs6ldi+5tGiTonuN4sexbrqMnbeKx9V57CS
3NwL0+s79IPtJzplGvtFiggzSLpyvTotU5GgbV9v3FWMB7v+AAKggXm+25ng0Yt6
L7pUT02PyjKcuUK0+X+Y8TJhWuhgoUFiMBMRxITAgG6YDqdxuvUb6y2uzYnnkdc8
+K0Ovz5Op5BpVXcbwhWncYEqum4RRmyeeJlpZQ+a7wZqzQx/Myp8mmkqmL3WR9Q6
Ayul2rGSBOZvtAql9m45FXRBvXtqsvYN0uCh2k2KjOvucb5axctr5nZdU1b/7KJd
zoZ3S/p80FZLX5r1C+dZaZx6R0USJYFLdfLlYgnMFON++0NhDgXJq68mcN/LTAls
nGjxFJy9JoVw1A==
=m9Mn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 14 Feb 2021 07:26:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Oct 8 03:13:56 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.