-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3565-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler September 13, 2023 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : ruby-loofah Version : 2.2.3-1+deb10u2 CVE ID : CVE-2022-23514 CVE-2022-23515 CVE-2022-23516 Debian Bug : 1026083 Multiple vulnerabilities were discovered in Loofah, a Ruby library for HTML/XML transformation and sanitization. An attacker could launch cross-site scripting (XSS) and denial-of-service (DoS) attacks through crafted HTML/XML documents. CVE-2022-23514 Inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. CVE-2022-23515 Cross-site scripting via the image/svg+xml media type in data URIs. CVE-2022-23516 Loofah uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. For Debian 10 buster, these problems have been fixed in version 2.2.3-1+deb10u2. We recommend that you upgrade your ruby-loofah packages. For the detailed security status of ruby-loofah please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-loofah Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmUBzRgACgkQDTl9HeUl XjAMXBAAm1NhBGBxyGR5/4g4/SMXjuqzWzqiYs2NRwmxhpq3v0ALZnwanseNuvtf ryue5Lial9UFCnh7g758bFOmao3UesCtTOdQzDQOkJ0ri247UGEbYd3p2oL3+i8i YSKoKscGiL3RQ+IpfNy25p4oT/6bvPn7FHKGudSRnKhMqYh8ttDi9DweMEjXgPnv XijxcB8KSB6X8dGUZjRXRXsG8KUZOzbvGJzrb//8Fmc7qwZUSJNakS4mENpwYgxN vZB5IfB9p9sB8x/mKyFHD5O/y8hryk5ujnG6F4BfPmL3rWpqxaYXo1ehq8yGqkAy 6t/37RjQv4g2IRC/wjABZjJ1QV69fS4ZIilQG/hQgwUNT89uF15lDHNrCpNU76VF 24zytYqb3OnbiPbmaa0r5VOgPLv+OSB53lLUFz009/OjMHtq2TNPz9rj+7staG/P A2qmUgjx3waBoMYVXgcJ1sUhkf/tOlQVx797EWjiUYl4xxcT2L5rIr4tQzPaW74P MSgJBeSIspOKf5F2vnPuoEKNJt63biH7sbp+CBYFlwcaJ4rS+YHc5W1Lxawm/21I XYtPXpEiw08YLFCc4ITgMcuPUVFIFXYswyG0VaONyLmRjLjT1LlWDCeA69tZ58KP ja+HaaQ6uSir3WEtsLTl1XStK6Ep9h1CBRPxsnY1Hlx6qtkIVn0= =dRUb -----END PGP SIGNATURE-----