Your message dated Sun, 10 Dec 2023 19:54:11 +0000 with message-id <e1rcpsr-00bohs...@fasolo.debian.org> and subject line Bug#1041430: fixed in ruby-sanitize 6.0.2-1 has caused the Debian Bug report #1041430, regarding ruby-sanitize: CVE-2023-36823 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1041430: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041430 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-sanitize X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for ruby-sanitize. CVE-2023-36823[0]: | Sanitize is an allowlist-based HTML and CSS sanitizer. Using | carefully crafted input, an attacker may be able to sneak arbitrary | HTML and CSS through Sanitize starting with version 3.0.0 and prior | to version 6.0.2 when Sanitize is configured to use the built-in | "relaxed" config or when using a custom config that allows `style` | elements and one or more CSS at-rules. This could result in cross- | site scripting or other undesired behavior when the malicious HTML | and CSS are rendered in a browser. Sanitize 6.0.2 performs | additional escaping of CSS in `style` element content, which fixes | this issue. Users who are unable to upgrade can prevent this issue | by using a Sanitize config that doesn't allow `style` elements, | using a Sanitize config that doesn't allow CSS at-rules, or by | manually escaping the character sequence `</` as `<\/` in `style` | element content. https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220 (v6.0.2) https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-36823 https://www.cve.org/CVERecord?id=CVE-2023-36823 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: ruby-sanitize Source-Version: 6.0.2-1 Done: Abhijith PA <abhij...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-sanitize, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1041...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Abhijith PA <abhij...@debian.org> (supplier of updated ruby-sanitize package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 10 Dec 2023 22:52:54 +0530 Source: ruby-sanitize Binary: ruby-sanitize Architecture: source all Version: 6.0.2-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Abhijith PA <abhij...@debian.org> Description: ruby-sanitize - whitelist-based HTML sanitizer Closes: 1041430 Changes: ruby-sanitize (6.0.2-1) unstable; urgency=medium . * Team upload . [ Debian Janitor ] * Remove constraints unnecessary since buster . [Abhijith PA] * New upstream release Fix CVE-2023-36823 (Closes: #1041430) * Remove X*-Ruby fields * Bump Standards-Version to 4.6.2 Checksums-Sha1: cadd3d8ceb0dadd8bccb987bf88314d4cc7fdec4 2101 ruby-sanitize_6.0.2-1.dsc cdfb890da8c02ca127d775162c34bdc5d44904a2 45157 ruby-sanitize_6.0.2.orig.tar.gz a30ad69229068dbd5fb822e9804242c448c52233 3820 ruby-sanitize_6.0.2-1.debian.tar.xz 452243a286f851e4c3e8799d6824cd3f96768ed2 34688 ruby-sanitize_6.0.2-1_all.deb 1cd3832a86ac9f6fe44cdd305ea2bdc1416cf861 9688 ruby-sanitize_6.0.2-1_amd64.buildinfo Checksums-Sha256: aaef94ca95f63bdfe52768f730fbc09a7e104f43ea322ac3c331ceb4aeb2183b 2101 ruby-sanitize_6.0.2-1.dsc 17ab5fbf9a69027904ee866b263050808aa3c732b7984b5cb6c9bcc1d43b4684 45157 ruby-sanitize_6.0.2.orig.tar.gz a42229ecc2de95f50ab35a2521dbf8852f2f6ee240da03edeca03f8b87c7a832 3820 ruby-sanitize_6.0.2-1.debian.tar.xz 7d7f2fee48919a695c2a2de232ab4e30eb47c00382fba63538ea127fa7850a4a 34688 ruby-sanitize_6.0.2-1_all.deb 980b1adb711b183a661610e8aae7725068c31ea5eb821248d6e05ad8bf3c1e84 9688 ruby-sanitize_6.0.2-1_amd64.buildinfo Files: dc1bc705b07f52a14ac5dc9194fc7e37 2101 ruby optional ruby-sanitize_6.0.2-1.dsc b2deed2915f7b02f30217080774acc90 45157 ruby optional ruby-sanitize_6.0.2.orig.tar.gz a59496ca90617b149c3a089a98772bb9 3820 ruby optional ruby-sanitize_6.0.2-1.debian.tar.xz c6a27b7b070110b2ab77c01399bb2fa2 34688 ruby optional ruby-sanitize_6.0.2-1_all.deb 35b87ec8a168326fab5e464e5ac60b0e 9688 ruby optional ruby-sanitize_6.0.2-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmV2EXMUHGFiaGlqaXRo QGRlYmlhbi5vcmcACgkQhj1N8u2cKO9+PBAAjqYPGU9SLU06nkwKHkIbcFzanAD6 D69XtUQkkhF32baDlkIoZOSH7NzWq9QHysDl4pvkvBeRH2Q1ynAGzwb7FTZSGcMW rIn7HJYStaLbid0yi1Qxcv/UWag7OkHQOOOY8PgZCclhtgRQCkOqVxo+mNzxHqWp xO88SImZYluABtwAcy6DfilcNdax7k6vvtRom3i/7aC0Wmra0RKUzvTL6u/BUSBf rwek9N20N9f/KpbmIVEwst4ifJndhTeYKibDyGaoPO8qoH/m0RiWTdLGbq+mg6lx TgnuOKQQEbJfkGL1NhBu7V6LAzHDYLJIauzRljlaZgVum8fEOwZufsz7PnGVDVy9 QM3Cg0C5Fux2R0YIRP12+KCqeArJomWtzLSkWtdej1MenneJHWVFKERXHj01ucis 0IAs4++SOZ2KtPTwcoPINtcSd+/+jLYK3REh1DJp9wfnnMcreueaYZ3X/uCDEPEY mdnmxaL0uPkz1qvgF673SsvpzLPBAkRbrho9QJSwQVJtmhLgVdLQ6zM2rwebAO0q 92Y1w0Tglbmtxx85b44s3h4p3pvWfeJduz6FRzZNkHuBpsb2iz416wAPu3nUoTZG XoHVcp256cdkjLzxW0kDferYD1p/8vw9rwZVjTh4itBk8dY2BVVuW8SA/dH3DPm3 KnYxUVTMyypJ978= =iHe1 -----END PGP SIGNATURE-----
--- End Message ---
