Your message dated Sat, 16 Jan 2021 19:02:13 +0000 with message-id <e1l0qpx-000fut...@fasolo.debian.org> and subject line Bug#980057: fixed in ruby-redcarpet 3.4.0-4+deb10u1 has caused the Debian Bug report #980057, regarding ruby-redcarpet: CVE-2020-26298 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 980057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980057 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-redcarpet Version: 3.5.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for ruby-redcarpet. CVE-2020-26298[0]: | Redcarpet is a Ruby library for Markdown processing. In Redcarpet | before version 3.5.1, there is an injection vulnerability which can | enable a cross-site scripting attack. In affected versions no HTML | escaping was being performed when processing quotes. This applies even | when the `:escape_html` option was being used. This is fixed in | version 3.5.1 by the referenced commit. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-26298 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26298 [1] https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793 [2] https://github.com/advisories/GHSA-q3wr-qw3g-3p4h Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-redcarpet Source-Version: 3.4.0-4+deb10u1 Done: Utkarsh Gupta <utka...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-redcarpet, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 980...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta <utka...@debian.org> (supplier of updated ruby-redcarpet package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 15 Jan 2021 01:32:04 +0530 Source: ruby-redcarpet Binary: ruby-redcarpet ruby-redcarpet-dbgsym Architecture: source amd64 Version: 3.4.0-4+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Utkarsh Gupta <utka...@debian.org> Description: ruby-redcarpet - Fast, safe and extensible Markdown to (X)HTML parser for Ruby Closes: 980057 Changes: ruby-redcarpet (3.4.0-4+deb10u1) buster-security; urgency=high . * Fix a security vulnerability using `:quote` in combination with the `:escape_html` option. (Fixes: CVE-2020-26298) (Closes: #980057) Checksums-Sha1: 4485875b9583eb45e3d24449ac1d65e0448d70ce 2271 ruby-redcarpet_3.4.0-4+deb10u1.dsc d42646e282d369d9cc3ff76bc7ac0d756a1c462f 59311 ruby-redcarpet_3.4.0.orig.tar.gz a047bff36ff16cae501f6781fa44eb3957e0f4b0 5932 ruby-redcarpet_3.4.0-4+deb10u1.debian.tar.xz 848dd551843b08b4e15ff682ff26038dd515db82 112704 ruby-redcarpet-dbgsym_3.4.0-4+deb10u1_amd64.deb b59760235e2b9ba28c2d9529d9987798878ae4b9 9380 ruby-redcarpet_3.4.0-4+deb10u1_amd64.buildinfo 8f80cbff3efd37b670a97d8a8ca295e13a8567fa 47492 ruby-redcarpet_3.4.0-4+deb10u1_amd64.deb Checksums-Sha256: 49c3bd705562802da52ecd4fbefcca2d928ecddc98dbe7a54043b35b8bebac6f 2271 ruby-redcarpet_3.4.0-4+deb10u1.dsc 506a854c0e1efce8ab84ea76d668ce529804d288298f4678753a1face221292d 59311 ruby-redcarpet_3.4.0.orig.tar.gz c4025375dcfbf4849690c487b6551ce713d43eb0e04bc91f3b0dbd529a312eea 5932 ruby-redcarpet_3.4.0-4+deb10u1.debian.tar.xz d800f78616a3e19d0e3f3551d3a86fe9e285c61e81d4e46c6c2dd40dc97e4a73 112704 ruby-redcarpet-dbgsym_3.4.0-4+deb10u1_amd64.deb fe204135e16d7fff4f8a5ea001830899c281145c5c4e935e70e75133f0862bc9 9380 ruby-redcarpet_3.4.0-4+deb10u1_amd64.buildinfo b5055a8c0ad435b080a4b361f1c0fa342a0005703fabeaf8ff2e164887c477cb 47492 ruby-redcarpet_3.4.0-4+deb10u1_amd64.deb Files: 6f102a33031260493da254fe8fbda53d 2271 ruby optional ruby-redcarpet_3.4.0-4+deb10u1.dsc ed589b29b2b26c2ae0f0c780af6796f8 59311 ruby optional ruby-redcarpet_3.4.0.orig.tar.gz b47d6303b5a79a313b01dda0cf0bbb91 5932 ruby optional ruby-redcarpet_3.4.0-4+deb10u1.debian.tar.xz 083c5b08bb5f06d0bd9bf62540305308 112704 debug optional ruby-redcarpet-dbgsym_3.4.0-4+deb10u1_amd64.deb cee4d806546d04a4f6adb01734b84609 9380 ruby optional ruby-redcarpet_3.4.0-4+deb10u1_amd64.buildinfo e46e038a88da236623fd6630a214b897 47492 ruby optional ruby-redcarpet_3.4.0-4+deb10u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmAApAwTHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlnsqEAC7Me7cFvwYgoa2FIxsioFiNaX6rxYs S0MONmaiAQSjDgDBFtu4pkiCBTAr4RVUekRfV/uCXzzXlfd8TmIUKxqMmADr8Ro7 E/uGtB/RDskbTUWI9kS1fUMtWOaeC4Zb+eONhGgAY8OUmZCHMr34sPqqfZtnDVUl FHwuBVs/lDeVSbQLf2DUOo00sKAvZCCdY6snssKjgVPR1Fi7U3ysKy+FLEzO+xkq n7B76zmRoolTTu3u1HtjifxCTDfTfYnKr5mUIvj3dx8rBbFd+iaGt2/GpJCUTrUo CumzoifJ0/bAppxM3MdytXiPYtcJfMs6ldi+5tGiTonuN4sexbrqMnbeKx9V57CS 3NwL0+s79IPtJzplGvtFiggzSLpyvTotU5GgbV9v3FWMB7v+AAKggXm+25ng0Yt6 L7pUT02PyjKcuUK0+X+Y8TJhWuhgoUFiMBMRxITAgG6YDqdxuvUb6y2uzYnnkdc8 +K0Ovz5Op5BpVXcbwhWncYEqum4RRmyeeJlpZQ+a7wZqzQx/Myp8mmkqmL3WR9Q6 Ayul2rGSBOZvtAql9m45FXRBvXtqsvYN0uCh2k2KjOvucb5axctr5nZdU1b/7KJd zoZ3S/p80FZLX5r1C+dZaZx6R0USJYFLdfLlYgnMFON++0NhDgXJq68mcN/LTAls nGjxFJy9JoVw1A== =m9Mn -----END PGP SIGNATURE-----
--- End Message ---
