Your message dated Fri, 08 Mar 2024 09:02:13 +0000
with message-id <e1riw7j-00hali...@fasolo.debian.org>
and subject line Bug#1065118: fixed in yard 0.9.28-2+deb12u2
has caused the Debian Bug report #1065118,
regarding yard: CVE-2024-27285
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1065118: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065118
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: yard
Version: 0.9.34-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 0.9.28-2
Control: found -1 0.9.24-1
Hi,
The following vulnerability was published for yard.
CVE-2024-27285[0]:
| YARD is a Ruby Documentation tool. The "frames.html" file within the
| Yard Doc's generated documentation is vulnerable to Cross-Site
| Scripting (XSS) attacks due to inadequate sanitization of user input
| within the JavaScript segment of the "frames.erb" template file.
| This vulnerability is fixed in 0.9.35.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-27285
https://www.cve.org/CVERecord?id=CVE-2024-27285
[1] https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
[2]
https://github.com/lsegal/yard/commit/d78fc393d603c4fc35975969296ed381146a29d4
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: yard
Source-Version: 0.9.28-2+deb12u2
Done: Antonio Terceiro <terce...@debian.org>
We believe that the bug you reported is fixed in the latest version of
yard, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1065...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <terce...@debian.org> (supplier of updated yard package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 04 Mar 2024 06:54:40 -0300
Source: yard
Architecture: source
Version: 0.9.28-2+deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terce...@debian.org>
Closes: 1065118
Changes:
yard (0.9.28-2+deb12u2) bookworm-security; urgency=high
.
* Update patch for CVE-2024-27285
(Closes: #1065118)
Checksums-Sha1:
b5992935c31394074c9e3ace19c994d174d25e0c 2218 yard_0.9.28-2+deb12u2.dsc
eb30663ca73ee9debd8b41ac3e940e84105c2df2 82328
yard_0.9.28-2+deb12u2.debian.tar.xz
4714ad4f100256abe18ec9004e2d58a51090164f 13779
yard_0.9.28-2+deb12u2_source.buildinfo
Checksums-Sha256:
57eefb97ea65c2e01dc6769f1e100eaa1855ad7d9c71a0034d8afb1648d4c645 2218
yard_0.9.28-2+deb12u2.dsc
eaa41d540d36c9002812c3732449cfa3f4e37863a487e9aa0dc06652cc89cc75 82328
yard_0.9.28-2+deb12u2.debian.tar.xz
ae78d302de969459a96426f4d9a2bffe4a5f484af4c539c46e8e2ea3b3ae2ee2 13779
yard_0.9.28-2+deb12u2_source.buildinfo
Files:
f8335213649cc69cc941d2b4cb83f880 2218 ruby optional yard_0.9.28-2+deb12u2.dsc
956c8b92fa3670ce7a6cf25a5d39e829 82328 ruby optional
yard_0.9.28-2+deb12u2.debian.tar.xz
bbba007db04324a0c860b13104d26527 13779 ruby optional
yard_0.9.28-2+deb12u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmXlnzsACgkQ/A2xu81G
C95VOBAAiol4m5dewT6nj9kXmboUErStBYqA4JySRRUlixiPi32p9i/5fghAtHKr
50txCGwZhoe9ES8PiyhYA9dgG5ksOHguerriBnSflRENzMLBKxVTsE4OIoha2P4D
huWc1WuxGthioPMCibXKybAZdR3s43Pw0ayCzMvXEQp/Jo1CGfUTLgisqGsK/sMm
AWbTvytmfbqiQLekv6h1DKqeigiN9MEjkplbIdbxLa+DU7Sb1BUSxtQ5BtowFybc
iWfHbCAyfN8sg7Mk1eT+eoBSq8Hz4Fkr/4BfRcLuybmbDo/a/CxwUDIkGXFdBOXa
D8hWjOeNKV4vndz/wKgkwk8kMUQgGGKUnGsJMn+J1K8TiFoF507acqbeAheDRSSp
D6s/SS5kSRpe5gq+LOKRNRZkb6K/6V+LZX8mfZbD3E4zJ+9mdTy/A3zdC0rq6KHb
3JpcbqibAwmc+nsqlKemOiVzPBUV9eCyvl1iNjNTntDA4m8qXHVujp7kDpO/gNKK
aCA5twEeMH7h/YcvaI/addwf0IrA0tiDsUgKgQtl1QBOg496WAvUVKwNZf7tuOeR
NiC1CIn8LIy6YCpWh9uRhxqDNUsiLS9DywCW/ROUDRLijxTMfgN+CelzlaheR+4W
cxAT0stx9c8C4saqpPE2RHn1HArdOc/kqV4F+Vzp2tz1QMHuIXs=
=qGTs
-----END PGP SIGNATURE-----
pgpNvmOvxqJRf.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
