Bug#985569: marked as done (ruby-kramdown: CVE-2021-28834)
Your message dated Tue, 13 Apr 2021 13:47:16 + with message-id and subject line Bug#985569: fixed in ruby-kramdown 1.17.0-1+deb10u2 has caused the Debian Bug report #985569, regarding ruby-kramdown: CVE-2021-28834 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985569: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985569 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ruby-kramdown Version: 2.3.0-4 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/gettalong/kramdown/pull/708 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-kramdown. CVE-2021-28834[0]: | Kramdown before 2.3.1 does not restrict Rouge formatters to the | Rouge::Formatters namespace, and thus arbitrary classes can be | instantiated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-28834 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28834 [1] https://github.com/gettalong/kramdown/pull/708 [2] https://github.com/gettalong/kramdown/commit/d6a1cbcb2caa2f8a70927f176070d126b2422760 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1941044 [4] https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: ruby-kramdown Source-Version: 1.17.0-1+deb10u2 Done: Antonio Terceiro We believe that the bug you reported is fixed in the latest version of ruby-kramdown, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro (supplier of updated ruby-kramdown package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 03 Apr 2021 13:05:12 -0300 Source: ruby-kramdown Architecture: source Version: 1.17.0-1+deb10u2 Distribution: buster-security Urgency: high Maintainer: Debian Ruby Extras Maintainers Changed-By: Antonio Terceiro Closes: 985569 Changes: ruby-kramdown (1.17.0-1+deb10u2) buster-security; urgency=high . * Team upload. * Add upstream patch to fix arbitrary code execution vulnerability [CVE-2021-28834] (Closes: #985569) Checksums-Sha1: a026ebd36a80ba7737b7067ac2390b79cecaed41 2264 ruby-kramdown_1.17.0-1+deb10u2.dsc c136dcdceda43fca8b554838e11b9cd7f9de44c8 6460 ruby-kramdown_1.17.0-1+deb10u2.debian.tar.xz c46779431a3d61a8e00f27ced966756a62385988 12267 ruby-kramdown_1.17.0-1+deb10u2_amd64.buildinfo Checksums-Sha256: 9d6c163df3b59b112356d35d4db94999a285f7e89f6bd5ffc713b8518caec700 2264 ruby-kramdown_1.17.0-1+deb10u2.dsc 948707c868f2303bae50bb25e8bb52e36c86273ad071e05ba093a298223729df 6460 ruby-kramdown_1.17.0-1+deb10u2.debian.tar.xz 9e8c1dba870e6c550e7bbe1657324e2fb9cc17fa89153b00e2b1a96918275e7d 12267 ruby-kramdown_1.17.0-1+deb10u2_amd64.buildinfo Files: f2cebc43fb434da44f337f15f9111b79 2264 ruby optional ruby-kramdown_1.17.0-1+deb10u2.dsc 4206b2003209fb1e11e77bd54396a96a 6460 ruby optional ruby-kramdown_1.17.0-1+deb10u2.debian.tar.xz a37c887e1bf07e98c8a11a3ea957c2c3 12267 ruby optional ruby-kramdown_1.17.0-1+deb10u2_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmBxrL4ACgkQ/A2xu81G C95QfxAAgx4un0+FvZrlxNE2bcgUlXoysvGVmxKmSTSf7gmcGJlMzFj5IDOLGF2m 3k/nmkprS7TQd2O+R/l5//7D+JLRbMFAQRxtxCdC+Hhx7jqOitF9l74b9W+HlTcQ miBqKimFhZ/rm/wvmzOqVnSU372I41PH6HN73VxqYH/JF+Lc558nFHTroqLXVyla ligdiPeMrP7uCAFt8JbGukwzKHjkMAkqDXjah2nxhesZ1rAF9GlXk8aHuBHH0Lh2 JtlUZ+PxnYvuMN811VTkEGfgjzMMgEM3iFE8dHgic5TG10UoucnDWYFrBgkkJNxs 4F6+ZQ1CkOe2zd954+Axer9NkWzcUjk6sKIU4Hl3gw9eOMb/EaTIndrrWyoJ9pBx +DGLK8FLBv/8S1TKYjUB9oQ/3INbNIratUmyO7oan87uV9vlfkZPkvQoUGdoLAbz 8aUqS1NARp9//5F9SETqX3C07RaIt7hvUvfOU2aQbpLLcjCeeLaEWER/GgxKtLJA kGrcrEvZSaxsMNnXiyK0l681seYLR3GgZZ/DFObD66Tx5OY8BuMhGAYtz5r/lU24 hu5XlXBDXcC/SZ/BsKKB9vDx4D06g3NJvH8M97FDbPO4bmmGNOr5lTx8O6fjd4xF 4wMEfyI/3LMje12
Bug#985569: marked as done (ruby-kramdown: CVE-2021-28834)
Your message dated Sat, 03 Apr 2021 16:18:30 + with message-id and subject line Bug#985569: fixed in ruby-kramdown 2.3.0-5 has caused the Debian Bug report #985569, regarding ruby-kramdown: CVE-2021-28834 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985569: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985569 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ruby-kramdown Version: 2.3.0-4 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/gettalong/kramdown/pull/708 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-kramdown. CVE-2021-28834[0]: | Kramdown before 2.3.1 does not restrict Rouge formatters to the | Rouge::Formatters namespace, and thus arbitrary classes can be | instantiated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-28834 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28834 [1] https://github.com/gettalong/kramdown/pull/708 [2] https://github.com/gettalong/kramdown/commit/d6a1cbcb2caa2f8a70927f176070d126b2422760 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1941044 [4] https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: ruby-kramdown Source-Version: 2.3.0-5 Done: Antonio Terceiro We believe that the bug you reported is fixed in the latest version of ruby-kramdown, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro (supplier of updated ruby-kramdown package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 03 Apr 2021 10:39:28 -0300 Source: ruby-kramdown Architecture: source Version: 2.3.0-5 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers Changed-By: Antonio Terceiro Closes: 985569 Changes: ruby-kramdown (2.3.0-5) unstable; urgency=medium . * Team upload. * Add upstream patch to fix arbitrary code execution vulnerability [CVE-2021-28834] (Closes: #985569) Checksums-Sha1: cc6f32f7343944e87428e5bbf05d3d51367a7570 2246 ruby-kramdown_2.3.0-5.dsc 19444f84511472c356f9dcbd23fe52e9f3d7cb2d 6232 ruby-kramdown_2.3.0-5.debian.tar.xz 69ab98fd563e477dae9c6e77d7d1f5cd9444c25f 11091 ruby-kramdown_2.3.0-5_amd64.buildinfo Checksums-Sha256: 2edcd5e445413a52c8f9008dffed01801636858577ae2cbf743b4cbe9876cf09 2246 ruby-kramdown_2.3.0-5.dsc 52f46ed89d839e082ea18e8d5b9addaec9ca99dd6640d6f63cc35b9368b0af11 6232 ruby-kramdown_2.3.0-5.debian.tar.xz 67d4c2926acba25991b18a19c4a04fba58d843fed8be78d1349f19e7f66cfb5a 11091 ruby-kramdown_2.3.0-5_amd64.buildinfo Files: c916825c632e0a876d5d646d7dd80f03 2246 ruby optional ruby-kramdown_2.3.0-5.dsc 086f0901ff737fb42977b39e7cec8d8d 6232 ruby optional ruby-kramdown_2.3.0-5.debian.tar.xz 3d6d9117b02bbd86a94122361211414a 11091 ruby optional ruby-kramdown_2.3.0-5_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmBokQ8ACgkQ/A2xu81G C97SzQ//RRnTWPtyBIdKZVnFu8Xkjnz7o01FvCPOELgcyOU3F+QIMnrbrQ8Mj3hj CP/jGuDHE3rsvlzhutBrtJ6cUTXhSBah9LVM/LS2TVPFZCy10JIPQfEBToCLS51P Fn+7rs4kiKUZ4r21Giv4Ru2Im/ZGONbSLAjfonfdXvMhubo5nC1RY3m5J1WRQBBf 53VXc7Uz5u23TRd0Id/1axgZ6Gjl4Ab5Pwvnwm7CXx3KXgIupw/YD0uelYJjolNd bZifKtMY/G45A93s/3i9S3FNIwe0HxxJ31fj+p4F8F2cSfiJr9hTFzMjfpL7wCbA a8Mrtw6wTqrG+jpVVl9IqpbGBzLpun050St432BYvaJgcwbXf0s53OYdiotQPDGB NntTqEPNaBo0YUvU6K3IcfVI8aFe7ZLvLHTTmRJB5/6MrCw8RI21u1E3440OIGwj YnJ69oTG1y9LBuIR6lH3QOoqcOrMVxfgPXF1vPyUgomg/h5Vc5O/PS7r1NVpecLU 81ePxPQkI5FiOiQImW87Zn3abj8YdksHxQXOQ0RlHiYE/H8LkR/mOOlCdR+pWzAn 4k4U7Mr2abQ8qjIGcqa+VbszIPo29vys1aXZR2lhNa53lLaKZfGMhFQyXliQUNX0 8QfmfIwIvQ1/5McsYe+O9cytOoicWV6WOmo+AFsbIYVJGMCEl0A= =X7z1 -END PGP SIGNATURE End Message ---