Your message dated Wed, 13 Jan 2021 21:49:21 +0000
with message-id <[email protected]>
and subject line Bug#980057: fixed in ruby-redcarpet 3.5.1-1
has caused the Debian Bug report #980057,
regarding ruby-redcarpet: CVE-2020-26298
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
980057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980057
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-redcarpet
Version: 3.5.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-redcarpet.
CVE-2020-26298[0]:
| Redcarpet is a Ruby library for Markdown processing. In Redcarpet
| before version 3.5.1, there is an injection vulnerability which can
| enable a cross-site scripting attack. In affected versions no HTML
| escaping was being performed when processing quotes. This applies even
| when the `:escape_html` option was being used. This is fixed in
| version 3.5.1 by the referenced commit.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-26298
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26298
[1]
https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
[2] https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-redcarpet
Source-Version: 3.5.1-1
Done: Lucas Nussbaum <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-redcarpet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lucas Nussbaum <[email protected]> (supplier of updated ruby-redcarpet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Jan 2021 21:52:33 +0100
Source: ruby-redcarpet
Architecture: source
Version: 3.5.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Lucas Nussbaum <[email protected]>
Closes: 980057
Changes:
ruby-redcarpet (3.5.1-1) unstable; urgency=medium
.
[ Cédric Boutillier ]
* [ci skip] Update team name
* [ci skip] Add .gitattributes to keep unwanted files out of the
source package
.
[ Debian Janitor ]
* Apply multi-arch hints. + ruby-redcarpet: Add Multi-Arch: same.
.
[ Lucas Nussbaum ]
* New upstream version 3.5.1
+ Fixes CVE-2020-26298. Closes: 980057
* Refresh packaging
+ debhelper compat level 13
+ Standards Version 4.5.1
Checksums-Sha1:
26c062afcf4d470cd4e5fef4cd5bb03ac492d9d2 2181 ruby-redcarpet_3.5.1-1.dsc
ac436c4db4738ba3fdf7f7e3b1cfa42fa26ef6c2 59825 ruby-redcarpet_3.5.1.orig.tar.gz
97624fde5b3597796c6eda9a2d9fae5ecb5706df 4692
ruby-redcarpet_3.5.1-1.debian.tar.xz
03099a8adaa11850b2d6c1236ef7b8eac53996be 9419
ruby-redcarpet_3.5.1-1_amd64.buildinfo
Checksums-Sha256:
0af05202a10f85c52caba7ff83c0b9c87f39653778ffb6a08c929eeda2ed04e1 2181
ruby-redcarpet_3.5.1-1.dsc
384b24cea6b2f46aed73f9ad18460458ea29f80f32c6696c2955b47349e2aefa 59825
ruby-redcarpet_3.5.1.orig.tar.gz
b73267650492a8d5f1a6532c15b4d17b6a8b1d9ecb6b183d08ac100f10cef927 4692
ruby-redcarpet_3.5.1-1.debian.tar.xz
204605b8ab2d64cd676f30acf6f8596dc0fe8ff2b2266351ed9413c1d997bf91 9419
ruby-redcarpet_3.5.1-1_amd64.buildinfo
Files:
f7f19ab1be097967bd162ae31f2aea82 2181 ruby optional ruby-redcarpet_3.5.1-1.dsc
2abee320c5ac0c22a2322071890745b3 59825 ruby optional
ruby-redcarpet_3.5.1.orig.tar.gz
ca1d354b6ca141b0740412a19123df9f 4692 ruby optional
ruby-redcarpet_3.5.1-1.debian.tar.xz
92addb6b62817d9368f5f01bbc04d646 9419 ruby optional
ruby-redcarpet_3.5.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/t7ByzN7z1CfQ8IkORS1MvTfvpkFAl//ZiwACgkQORS1MvTf
vpleGxAAntSuntuUMVWX/zcwzo4fNbZhhVbW1mZ4j/TXlIoGS8Aij6RDT6AgWqR3
Ew5EVoGrwUw5BnFoEckw0DN37cNkmHpvzl4rm+E3A8T/8bxjLJW5aXzABFyBvMTD
X3svaKHpTn17VIpYqq1zw7Ij2lGYDGWx82Zwwdve3K4X10ows9q4JoxX6lsl/tPw
ji4FiFDaFq4G5f6WD7E2jJ6i2SOwFx+uRMbbPQdcK4pYLk7QTOuO7Aah3XD/5QxI
kK2GmrgGGJuiw1DoqenZEruwEp5W9otHInZ7yBnXu/U92VwIzpIE6l0JiqJZjm1k
gPIgovLqoxpE6DLrk699iipxE6NnqwuYB8IbxIIaIQKs2CGGg8NgnQ5hPOmGpj7s
L9I7Or5x0WjGngr+NALI9n/OfO9NY2BD/vG1aU2P3MMglCsxD7HtmZ0W+gmANMny
/F7J1oCc6uGxd4b0JHgh2WDA+Gf3wiHNZIPKRz/gETXM+3QcxYItCrHwXX1hOHNj
ud5+Iz/xygeFJ7dMzDGSt2nuNwg7+qjM3EXClKhPjUU6/+S/TE1er4sozC7/kSat
nyzSRhZR+NbHA1buGxUSKVq8igIDfqwmzFU9To16ZsizE8fNduGv47S1qHLFwUDg
911QVgfR8QWWJ9MhpXzPwKOAQ/geZOOHJ1XvtcWVPP33FUkG/LM=
=WebO
-----END PGP SIGNATURE-----
--- End Message ---
