Your message dated Sun, 30 Oct 2022 00:04:29 +0300
with message-id <Y12VXR+niRB8dWrZ@localhost>
and subject line Fixed in 1.4.3-0.1
has caused the Debian Bug report #1013806,
regarding ruby-rails-html-sanitizer: CVE-2022-32209
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1013806: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013806
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-rails-html-sanitizer
Version: 1.4.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for ruby-rails-html-sanitizer.

CVE-2022-32209[0]:
| # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a
| possible XSS vulnerability with certain configurations of
| Rails::Html::Sanitizer.This vulnerability has been assigned the CVE
| identifier CVE-2022-32209.Versions Affected: ALLNot affected:
| NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with
| certain configurations of Rails::Html::Sanitizer may allow an attacker
| to inject content if the application developer has overridden the
| sanitizer's allowed tags to allow both `select` and `style`
| elements.Code is only impacted if allowed tags are being overridden.
| This may be done via application configuration:```ruby# In
| config/application.rbconfig.action_view.sanitized_allowed_tags =
| ["select", "style"]```see
| https://guides.rubyonrails.org/configuring.html#configuring-action-
| viewOr it may be done with a `:tags` option to the Action View helper
| `sanitize`:```&lt;%= sanitize @comment.body, tags: ["select", "style"]
| %&gt;```see https://api.rubyonrails.org/classes/ActionView/Helpers/San
| itizeHelper.html#method-i-sanitizeOr it may be done with
| Rails::Html::SafeListSanitizer directly:```ruby# class-level
| optionRails::Html::SafeListSanitizer.allowed_tags = ["select",
| "style"]```or```ruby# instance-level
| optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags:
| ["select", "style"])```All users overriding the allowed tags by any of
| the above mechanisms to include both "select" and "style" should
| either upgrade or use one of the workarounds immediately.##
| ReleasesThe FIXED releases are available at the normal locations.##
| WorkaroundsRemove either `select` or `style` from the overridden
| allowed tags.## CreditsThis vulnerability was responsibly reported by
| [windshock](https://hackerone.com/windshock?type=user).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-32209
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209
[1] https://hackerone.com/reports/1530898
[2] 
https://discuss.rubyonrails.org/t/cve-2022-32209-possible-xss-vulnerability-in-rails-sanitizer/80800
[3] 
https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Version: 1.4.3-0.1

ruby-rails-html-sanitizer (1.4.3-0.1) unstable; urgency=low

  * Non-maintainer upload.
  * New upstream release.
...
    - CVE-2022-32209: Possible XSS vulnerability.

 -- Adrian Bunk <[email protected]>  Sun, 16 Oct 2022 02:44:52 +0300

--- End Message ---

Reply via email to