Package: release.debian.org
Control: affects -1 + src:ruby-css-parser
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: [email protected]
Severity: normal
[ Reason ]
ruby-css-parser explicitly disables TLS certificate verification when
loading CSS from HTTPS URLs by setting OpenSSL::SSL::VERIFY_NONE.
This allows a man-in-the-middle attacker to provide modified CSS content
to applications using ruby-css-parser to load remote stylesheets.
The issue is tracked as CVE-2026-44312. It is not a regression relative
to previous Debian releases, the vulnerable code has existed since at
least upstream version 1.3.6.
[ Impact ]
Without this update, HTTPS connections made by ruby-css-parser do not
authenticate the remote server. Applications loading remote CSS can
therefore receive attacker-controlled content despite using HTTPS.
[ Tests ]
All enabled jobs passed, including the package build, autopkgtest,
reverse dependencies tests, and other Salsa CI checks:
https://salsa.debian.org/aquila/ruby-css-parser/-/pipelines/1102627
[ Risks ]
The fix is a single-line deletion that restores the default TLS
certificate verification behavior. The change is low risk and does not
affect parsing logic, public APIs, dependencies, or package configuration.
Connections to servers using invalid or untrusted certificates will now
fail, which is the intended behavior.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Import the upstream fix for CVE-2026-44312, removing the explicit
disabling of HTTPS certificate verification.
* Add the patch to debian/patches/series.
* Document the stable update in debian/changelog.
diff -Nru ruby-css-parser-1.6.0/debian/changelog
ruby-css-parser-1.6.0/debian/changelog
--- ruby-css-parser-1.6.0/debian/changelog 2021-11-15 12:42:36.000000000
-0500
+++ ruby-css-parser-1.6.0/debian/changelog 2026-05-24 16:05:02.000000000
-0400
@@ -1,3 +1,11 @@
+ruby-css-parser (1.6.0-2+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * Import upstream patch to stop disabling HTTPS certificate verification
+ when loading remote CSS. (CVE-2026-44312)
+
+ -- Aquila Macedo Costa <[email protected]> Sun, 24 May 2026 16:05:02 -0400
+
ruby-css-parser (1.6.0-2) unstable; urgency=medium
* Team upload.
diff -Nru ruby-css-parser-1.6.0/debian/patches/CVE-2026-44312.patch
ruby-css-parser-1.6.0/debian/patches/CVE-2026-44312.patch
--- ruby-css-parser-1.6.0/debian/patches/CVE-2026-44312.patch 1969-12-31
19:00:00.000000000 -0500
+++ ruby-css-parser-1.6.0/debian/patches/CVE-2026-44312.patch 2026-05-24
16:05:02.000000000 -0400
@@ -0,0 +1,22 @@
+From e0c95d5abe91b237becb90ff316531a6547ada18 Mon Sep 17 00:00:00 2001
+From: Michael Grosser <[email protected]>
+Date: Mon, 27 Apr 2026 17:10:14 -0700
+Subject: [PATCH] Merge pull request #186 from premailer/grosser/https
+
+verify ssl when loading files over https
+---
+ lib/css_parser/parser.rb | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/css_parser/parser.rb b/lib/css_parser/parser.rb
+index 4312c87..3fb4711 100644
+--- a/lib/css_parser/parser.rb
++++ b/lib/css_parser/parser.rb
+@@ -583,7 +583,6 @@ module CssParser
+ uri.port = 443 unless uri.port
+ http = Net::HTTP.new(uri.host, uri.port)
+ http.use_ssl = true
+- http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+ else
+ http = Net::HTTP.new(uri.host, uri.port)
+ end
diff -Nru ruby-css-parser-1.6.0/debian/patches/series
ruby-css-parser-1.6.0/debian/patches/series
--- ruby-css-parser-1.6.0/debian/patches/series 2021-11-15 12:42:36.000000000
-0500
+++ ruby-css-parser-1.6.0/debian/patches/series 2026-05-24 16:05:02.000000000
-0400
@@ -1,2 +1,3 @@
0001-Sanitize-test-suite.patch
0002-Disable-tests-that-hit-the-network.patch
+CVE-2026-44312.patch
