Your message dated Sun, 30 Dec 2018 22:03:25 +0000
with message-id <[email protected]>
and subject line Bug#893610: fixed in ruby-sanitize 2.1.0-2+deb9u1
has caused the Debian Bug report #893610,
regarding ruby-sanitize: CVE-2018-3740
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
893610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893610
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-sanitize
Version: 2.1.0-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/rgrove/sanitize/issues/176
Hi,
the following vulnerability was published for ruby-sanitize.
CVE-2018-3740[0]:
Sanitize HTML injection vulnerability
Code has changed quite a bit (e.g. 'clean' -> 'frament' method change
in v3.0.0, but the underlying issue seems present in 2.1.0 based
version as well afaics).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-3740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3740
[1] https://github.com/rgrove/sanitize/issues/176
[2]
https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-sanitize
Source-Version: 2.1.0-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
ruby-sanitize, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated ruby-sanitize
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 26 Dec 2018 23:32:37 +0100
Source: ruby-sanitize
Binary: ruby-sanitize
Architecture: source
Version: 2.1.0-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
ruby-sanitize - whitelist-based HTML sanitizer
Closes: 893610
Changes:
ruby-sanitize (2.1.0-2+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Inproper filtering by libxml2 leads to HTML injection vulnerability
(CVE-2018-3740) (Closes: #893610)
* Drop fix-tests-sanitize.patch patch
Checksums-Sha1:
f51df99ccb8d3d735ca58ddf635a2c39b409660e 2277 ruby-sanitize_2.1.0-2+deb9u1.dsc
3b41fa38108feb1a692f93ef97c2f2b0a249162f 18119 ruby-sanitize_2.1.0.orig.tar.gz
dc729a54e5395d1a81d5fcd8b3cb884835a62a50 7836
ruby-sanitize_2.1.0-2+deb9u1.debian.tar.xz
18e69af8ead72fbda876e1b43960d2113abb41cb 6141
ruby-sanitize_2.1.0-2+deb9u1_source.buildinfo
Checksums-Sha256:
2059daf6821fc596640fea134a49f53ec605b5b0c49af3fdd6170fc61c1e492b 2277
ruby-sanitize_2.1.0-2+deb9u1.dsc
3b6aaf24987ad656bc240905fbca73508b1d0c39411f2c84997125b3d00571e5 18119
ruby-sanitize_2.1.0.orig.tar.gz
af2e229707f4ba876955c42d2e2eb8881f4f066962b9acc7aaf15afc4d8f363d 7836
ruby-sanitize_2.1.0-2+deb9u1.debian.tar.xz
6c05dfffebdcf69587b0a49f302ca6e9cd320f1da8c968597136f5d1bb59ab3f 6141
ruby-sanitize_2.1.0-2+deb9u1_source.buildinfo
Files:
a701c67ddedf887de041605bde4c3184 2277 ruby optional
ruby-sanitize_2.1.0-2+deb9u1.dsc
4b4e629451f8cad1bb9c83b90c794d88 18119 ruby optional
ruby-sanitize_2.1.0.orig.tar.gz
527187827f1eab4f378f0d7b3f30bc5a 7836 ruby optional
ruby-sanitize_2.1.0-2+deb9u1.debian.tar.xz
1773f3a8eec3dfc3beec7f4894d2811c 6141 ruby optional
ruby-sanitize_2.1.0-2+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwkAoNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Emi4P/2vSN5wY88PZx43rZ+A7Ve7s7MEU/zBQ
Izxlg5++f0kC7vD44buV30MUEw8tivdKj/QobMMZA1+v4pM0jJTQ+rRNVsQh/LBT
yHGQuobconlj+Ahaggz0g4bwZpPZK38V+TqWFR4ghxktW/sg2DNqzqFea9az/6hn
EDJfYvO94EQFYeW0UCA93D45Y14jciKekbiGc7WTQ8KAkkuNCwnv5SauaZkPZO2o
QBB72hDNO+idfDk5l64aK7NWE1hRANcLYfwjXxB/XEP9XwU3a+/LpXATNtyKM4JB
39Iw2oJtd3vQIvUxZ3ABRYQ6TCEDw7XdBOOmFk3/XNf5Z6pdNluMno96GnOfyYJU
6At7ebG4c/gwhbjnF2J3TlumBZlmS4dxN2z9wnPzc4Rf+DB5KJ3paAmmcFBht2hz
GjrrV3xqCRGEk0ovQxdmH7xVBXW9s4/355tuAe0AJ/dhxcDX/wfzRK+IyM/Bs0tK
YZvpE0lCryZxg8h6xXb0GPeI4dfwfWGGipQXtEuze9VY3hqMl3ktgReJ269jF3nf
LJE9z7Z806ghLzM7DGAME7ldk8R1CBOO89XRoglArcCBe75hk3PRzDYuXvAdyf5y
b84a0Kl/4imgvpnLJcFlRYO6Ra6wCY39AN5Dfo2eRHYiJm7P7FkUhvhk8TMDsnnA
TLpBKnOTOqaC
=7YGY
-----END PGP SIGNATURE-----
--- End Message ---
