Your message dated Sun, 05 Feb 2023 22:50:54 +0000 with message-id <e1ponqy-00dccm...@fasolo.debian.org> and subject line Bug#1027153: fixed in ruby-rails-html-sanitizer 1.4.4-1 has caused the Debian Bug report #1027153, regarding ruby-rails-html-sanitizer: CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1027153: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027153 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-rails-html-sanitizer X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for ruby-rails-html-sanitizer. CVE-2022-23517[0]: | rails-html-sanitizer is responsible for sanitizing HTML fragments in | Rails applications. Certain configurations of rails-html-sanitizer | < 1.4.4 use an inefficient regular expression that is susceptible | to excessive backtracking when attempting to sanitize certain SVG | attributes. This may lead to a denial of service through CPU resource | consumption. This issue has been patched in version 1.4.4. https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979 CVE-2022-23518[1]: | rails-html-sanitizer is responsible for sanitizing HTML fragments in | Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to | cross-site scripting via data URIs when used in combination with | Loofah >= 2.1.0. This issue is patched in version 1.4.4. https://github.com/rails/rails-html-sanitizer/issues/135 https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m CVE-2022-23519[2]: | rails-html-sanitizer is responsible for sanitizing HTML fragments in | Rails applications. Prior to version 1.4.4, a possible XSS | vulnerability with certain configurations of Rails::Html::Sanitizer | may allow an attacker to inject content if the application developer | has overridden the sanitizer's allowed tags in either of the following | ways: allow both "math" and "style" elements, or allow both "svg" and | "style" elements. Code is only impacted if allowed tags are being | overridden. . This issue is fixed in version 1.4.4. All users | overriding the allowed tags to include "math" or "svg" and "style" | should either upgrade or use the following workaround immediately: | Remove "style" from the overridden allowed tags, or remove "math" and | "svg" from the overridden allowed tags. https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h CVE-2022-23520[3]: | rails-html-sanitizer is responsible for sanitizing HTML fragments in | Rails applications. Prior to version 1.4.4, there is a possible XSS | vulnerability with certain configurations of Rails::Html::Sanitizer | due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may | allow an attacker to inject content if the application developer has | overridden the sanitizer's allowed tags to allow both "select" and | "style" elements. Code is only impacted if allowed tags are being | overridden. This issue is patched in version 1.4.4. All users | overriding the allowed tags to include both "select" and "style" | should either upgrade or use this workaround: Remove either "select" | or "style" from the overridden allowed tags. NOTE: Code is _not_ | impacted if allowed tags are overridden using either the :tags option | to the Action View helper method sanitize or the :tags option to the | instance method SafeListSanitizer#sanitize. https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-23517 https://www.cve.org/CVERecord?id=CVE-2022-23517 [1] https://security-tracker.debian.org/tracker/CVE-2022-23518 https://www.cve.org/CVERecord?id=CVE-2022-23518 [2] https://security-tracker.debian.org/tracker/CVE-2022-23519 https://www.cve.org/CVERecord?id=CVE-2022-23519 [3] https://security-tracker.debian.org/tracker/CVE-2022-23520 https://www.cve.org/CVERecord?id=CVE-2022-23520 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: ruby-rails-html-sanitizer Source-Version: 1.4.4-1 Done: Abhijith PA <abhij...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-rails-html-sanitizer, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1027...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Abhijith PA <abhij...@debian.org> (supplier of updated ruby-rails-html-sanitizer package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 05 Feb 2023 11:54:51 +0530 Source: ruby-rails-html-sanitizer Architecture: source Version: 1.4.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Abhijith PA <abhij...@debian.org> Closes: 1027153 Changes: ruby-rails-html-sanitizer (1.4.4-1) unstable; urgency=medium . * Team upload * New upstream release (Closes: #1027153) - Fix CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520 * Drop 0001-tests-skip-failing.patch patch * debian/control - Set Standards-Version: 4.6.2 - Replace ruby | ruby-interpreter with ${ruby:Depends} - Drop XB-Ruby-Versions and XB-Ruby-Versions Checksums-Sha1: 98c0b95d8413648d55ad6f80d80821630136e7d8 2272 ruby-rails-html-sanitizer_1.4.4-1.dsc b44e83bbbf7bee8ff903850b06d9a572fc09e58e 15015 ruby-rails-html-sanitizer_1.4.4.orig.tar.gz a750c943f660658b837c3cd1992a07ad3d31e935 4060 ruby-rails-html-sanitizer_1.4.4-1.debian.tar.xz 5abfe80bd3c7c01f74dc1151b6f53643a5e0e4b7 11111 ruby-rails-html-sanitizer_1.4.4-1_amd64.buildinfo Checksums-Sha256: 312703c8a34714c9867e65e54f3bb143d52c679bbf089b9ee9f8a44a99c0cae2 2272 ruby-rails-html-sanitizer_1.4.4-1.dsc a6edc74baf2c9daf5cc65de6fc2cb1ae43fd4033194241fa6c1fcf5bf0582865 15015 ruby-rails-html-sanitizer_1.4.4.orig.tar.gz 003bfb48f69b79ee837887965c2725c4147ecee9d554c059d4c22ab5969ede35 4060 ruby-rails-html-sanitizer_1.4.4-1.debian.tar.xz eec896b8c91e363b7ddfd68e4aa5e6533ef60cd136adbad2d7ff25ff183f0935 11111 ruby-rails-html-sanitizer_1.4.4-1_amd64.buildinfo Files: 14faa86124e7a44e9582bafba5d02302 2272 ruby optional ruby-rails-html-sanitizer_1.4.4-1.dsc 656811d2679321d82f2ab5d20f57a676 15015 ruby optional ruby-rails-html-sanitizer_1.4.4.orig.tar.gz 4f4c235ed2bc422839c4485d3123470b 4060 ruby optional ruby-rails-html-sanitizer_1.4.4-1.debian.tar.xz 46c30302eb9c868a4035f87b4adb998c 11111 ruby optional ruby-rails-html-sanitizer_1.4.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmPgL8YUHGFiaGlqaXRo QGRlYmlhbi5vcmcACgkQhj1N8u2cKO/Jhw/8CfOaDHtFuKZN037fKarwwIo1jkk5 cPH2UGMA7+aWwDCDU42GasqtLYW0vTJ4IRqkpm5Ulvj3Zv31c9XPAAhAhxy6hBJT 4GgAOo3MtFmlYKoqGLeo3S/QlEn1vXRyFEbzMDCQsHvwh2w7v2qTTmwW7ucwZdbw /9+6rnB8xFYZp8Jy+YWb6V+JN/iBBtWD9L9pITlYvdgYOxq783iwAILFadE1YQbD OSkkTv5g78audrrttjr2zjO2PiPou0behWbmAix519K7SszEscywQRRBddEKaEFN HCQkLAmLtuXHYR73iG7Y4dVQ8cvbaMQDrX5IOYmHKRkk8ZnqObZCutlJmWvAzG+f A5l6oyDP+M/c+Ah+EHani7vpVuKdGLfGEkZ5FE/AGIIb326JnAt8XfR5exzgcEJ1 8bVpW6zphp0FjPwADjQ8Mfk7dloaL7Q9slBRV7RWGPMvJz6yr65INDRmIHOG8+Xn 1CgqeoSQXf+EUErziN4QlG3mSo0u8HUCNGgKLkSCdxh1gCvZnCDCD/1fbjHRlweP XzRrj3C3WfJTbpzO8cWNUBr+iXEd8khUW0RN/xr7jSG4JdpprQtgRC0pKeTnIJkP jls12nZiBT+tWLMxzs+Z+ZK8QuLhEHDKdjG8QG0bwtWb6evd1KjjrwdTZmVvbbh8 vCrCxgwgXB+SL4g= =zZgI -----END PGP SIGNATURE-----
--- End Message ---
