Your message dated Wed, 22 Feb 2023 20:39:18 +0000 with message-id <e1puvtw-00fkox...@fasolo.debian.org> and subject line Bug#1030047: fixed in ruby-sanitize 6.0.0-1.1 has caused the Debian Bug report #1030047, regarding ruby-sanitize: CVE-2023-23627 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1030047: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030047 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-sanitize X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ruby-sanitize. CVE-2023-23627[0]: | Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 | and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. | When Sanitize is configured with a custom allowlist that allows | `noscript` elements, attackers are able to include arbitrary HTML, | resulting in XSS (cross-site scripting) or other undesired behavior | when that HTML is rendered in a browser. The default configurations do | not allow `noscript` elements and are not vulnerable. This issue only | affects users who are using a custom config that adds `noscript` to | the element allowlist. This issue has been patched in version 6.0.1. | Users who are unable to upgrade can prevent this issue by using one of | Sanitize's default configs or by ensuring that their custom config | does not include `noscript` in the element allowlist. https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23627 https://www.cve.org/CVERecord?id=CVE-2023-23627 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: ruby-sanitize Source-Version: 6.0.0-1.1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-sanitize, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1030...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated ruby-sanitize package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 20 Feb 2023 20:28:45 +0100 Source: ruby-sanitize Architecture: source Version: 6.0.0-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1030047 Changes: ruby-sanitize (6.0.0-1.1) unstable; urgency=medium . * Non-maintainer upload. * Update tests to remove deprecated minitest 'must_be' * Forcibly escape content in "unescaped text" elements inside math or svg namespaces * Always remove `<noscript>` elements (CVE-2023-23627) (Closes: #1030047) Checksums-Sha1: 074e06989526a8dd794110538a0fe34309f01def 2268 ruby-sanitize_6.0.0-1.1.dsc ed6c9c8b7fdff481b6940baa4cdcb52e5cce736c 17396 ruby-sanitize_6.0.0-1.1.debian.tar.xz ba6d200a358aa6ec49fc6498175cf237ff5af824 7578 ruby-sanitize_6.0.0-1.1_source.buildinfo Checksums-Sha256: 634f3aa9d393b001a1fdf7cb86d6679f260b5b16d17b5c2b3d3faa687c9d9941 2268 ruby-sanitize_6.0.0-1.1.dsc cf515cf52292c418cf81248d17aaf0c1b8e4b67871c6d0d3fe9493282522bbf9 17396 ruby-sanitize_6.0.0-1.1.debian.tar.xz 745e7ad616af1c07f6f5e5d2d0662aff422baa499fc45e598c26e5f5ccfa9079 7578 ruby-sanitize_6.0.0-1.1_source.buildinfo Files: bfd909295b2c8dc0d9d5fce5fd567679 2268 ruby optional ruby-sanitize_6.0.0-1.1.dsc 3b10ff09974f4864f01f3f389c4fa8a8 17396 ruby optional ruby-sanitize_6.0.0-1.1.debian.tar.xz 1f7186cf9f2a39574fb9e93069599493 7578 ruby optional ruby-sanitize_6.0.0-1.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmPzzYtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EoGAP/3jjiHgBlpLRLnEqfGLmjpUdb5WHalBU JMVMa4cvYhOTBA+dcqNjvVmDw7hpecufL8Yjhjr+QIaDm2J/vpV/DmjfsSd/gltz xeF7rwzs76Bqs56J2oYPJ55poveRb4EZkd6tojUdgLqIezi83XU5X98Jdn2Y6WvF /BH3fclj27vFy/53OfycTYE5fCZ8Lc0E74eSMBBkH8SVAosVcZ1efPhnEyZo1Tpq dqOti0vJ8kTMKMfEql/kyDPylKHhq66nRga0Qz6udebZEpcKaXk+EUnSz2QZ7u3t oHaShkTf1IOAbeEnfGFw1qmxdYkwIUmg16dtU2mR+NEau/LftAstjQFvJzjWUBro Loq30Wplcvif7q6nZArdd7RDTIlHRWg4kqi/uCcN6ttBp/Xb2h+rFVuKdlBA0CIv ukTURKviWia3OP1tffwocFeIcS+GiEJtexzSULy8qcAUZiQ3jOsJrHHpI3mTEYex h4tnoLm8fHg24TcSA5SOBW2tb3PEymNU/6c6pe7ceyNcHg+Cl4cRS9ll3oIRlWAw BjjoUwzmFyDyA2LXNsCThA/QtLlcJ7s3QgaRot0Y2XQxJKQB1SrTqMM9P5AgYy/j LEj1W3a2gTDRXelpl3BPboyo0klXqVjgFtm0F3ehQsT0z5ROV50LY7z4ZXWs24lB X5wk0QLe7SFu =wb9u -----END PGP SIGNATURE-----
--- End Message ---
