Your message dated Wed, 12 Aug 2020 21:32:38 +0000
with message-id <e1k5ymq-0005th...@fasolo.debian.org>
and subject line Bug#965305: fixed in ruby-kramdown 1.17.0-1+deb10u1
has caused the Debian Bug report #965305,
regarding ruby-kramdown: CVE-2020-14001
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
965305: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965305
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-kramdown
Version: 1.17.0-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Control: found -1 1.17.0-1
Hi,
The following vulnerability was published for ruby-kramdown.
CVE-2020-14001[0]:
| The kramdown gem before 2.3.0 for Ruby processes the template option
| inside Kramdown documents by default, which allows unintended read
| access (such as template="/etc/passwd") or unintended embedded Ruby
| code execution (such as a string that begins with
| template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab
| Pages, GitHub Pages, and Thredded Forum.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-14001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001
[1]
https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-kramdown
Source-Version: 1.17.0-1+deb10u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-kramdown, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 965...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated ruby-kramdown
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 31 Jul 2020 21:56:26 +0200
Source: ruby-kramdown
Architecture: source
Version: 1.17.0-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 965305
Changes:
ruby-kramdown (1.17.0-1+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add option forbidden_inline_options (CVE-2020-14001) (Closes: #965305)
Checksums-Sha1:
a78d54c1c44e66024c057da72e9ef10860256cda 2419
ruby-kramdown_1.17.0-1+deb10u1.dsc
6f01926d5b59eca6c4f760a61aa0167dbccdfdb0 266177
ruby-kramdown_1.17.0.orig.tar.gz
8be7a224e0159512447ba62fcd6f061f18efe886 5752
ruby-kramdown_1.17.0-1+deb10u1.debian.tar.xz
9024aaeeb397cfa188dbd194fef0b649d20508d8 7247
ruby-kramdown_1.17.0-1+deb10u1_source.buildinfo
Checksums-Sha256:
19223573be9939084193ae974693f2cfde8ed18586d86c2244d3f56cc32225c9 2419
ruby-kramdown_1.17.0-1+deb10u1.dsc
d82a79865f9ef4ff0286a69082590bbaa462f9c2d8295c4e445fe892f0a85d1e 266177
ruby-kramdown_1.17.0.orig.tar.gz
ffd79815471766d2817598f6c8ba2cc8a35851b12213467205dd972d4a0325fa 5752
ruby-kramdown_1.17.0-1+deb10u1.debian.tar.xz
722fb39ac86c5edd49df61135c5f2d00c767e496219106481a8ed8ecf2c339fb 7247
ruby-kramdown_1.17.0-1+deb10u1_source.buildinfo
Files:
1bf8a406022e1bd15613363fa2c257e8 2419 ruby optional
ruby-kramdown_1.17.0-1+deb10u1.dsc
cba00f232169cc610a0218469ed5feb3 266177 ruby optional
ruby-kramdown_1.17.0.orig.tar.gz
8dc82b1d33b0b4db2deaa16df5811041 5752 ruby optional
ruby-kramdown_1.17.0-1+deb10u1.debian.tar.xz
c5fd58f57d967a16055a4e6baf7fdee9 7247 ruby optional
ruby-kramdown_1.17.0-1+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl8kd+pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EdQYP/jU12/V14z1rbJT5DE8+V8x0HDbwk5eb
akHz70PN8PvQWOVn5SrdfRCqq7T9UnmDgz2WeI4CN7fb/TQ2DttNq/8Bscl1SUuj
QY8G/96x1mfDePdgKZJHoDHTcm5ZtQ+wrA5xcLFBHtb1wAFfdI+oC49o3L9cQoLB
vXF56Q4DdYrM0gNiibq6tl+mHSsUMAVP0flZdT7GXegxxYYLG6qpcq1a459P4cT4
LNMMavCZK+D38mv/V217xVN2ZiVicuzJLivZ7rkeAujyMpcdSI3q87b3MALgEuEs
d+cyL+5hQlRtHF04W+hAp4BwWgA3Y76WDbhgoO+wGmHvYGiivF/RrqX1H/OH3Rbx
lzk/UdR+Te4mOwvYT2FzN9DmwFAmvhUr+olZ2p3//tI3t2GsXkYVKA2GEwkwXaOg
d3o0iBOudhw/ibp4NoOP7vueu7pKZIo2UAs3ujX0z9SNgBp0Pc/zevO9rG7aKLaK
Pk+u1vGEhHts68EZNBUs9uPMGBZs1M5wiIhotZYGcO3BDT2WwySmjUFkQS8KAB00
M9zo1WdrSjB+/Fl7vX0k8C2QI59nmz0RIiiBuOVsvuVqdSd7B2L9Lvq0pf/CrGAN
yF7PtZDA2m4r36pRq1j1geCIuWiERMUV2PnA+9inF/5aMez2qhHGyR6VkYkFL4NE
bjRjEMBu5pPo
=Yks1
-----END PGP SIGNATURE-----
--- End Message ---
