Your message dated Sat, 11 Jul 2026 10:32:49 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1138988,
regarding trixie-pu: package ruby-css-parser/1.19.0-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138988: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138988
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:ruby-css-parser
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: trixie
X-Debbugs-Cc: [email protected]
Severity: normal
[ Reason ]
ruby-css-parser explicitly disables TLS certificate verification when
loading CSS from HTTPS URLs by setting OpenSSL::SSL::VERIFY_NONE.
This allows a man-in-the-middle attacker to provide modified CSS content
to applications using ruby-css-parser to load remote stylesheets.
The issue is tracked as CVE-2026-44312. It is not a regression relative
to previous Debian releases, the vulnerable code has existed since at
least upstream version 1.3.6.
[ Impact ]
Without this update, HTTPS connections made by ruby-css-parser do not
authenticate the remote server. Applications loading remote CSS can
therefore receive attacker-controlled content despite using HTTPS.
[ Tests ]
All enabled jobs passed, including the package build, autopkgtest,
reverse dependencies tests, and other Salsa CI checks:
https://salsa.debian.org/aquila/ruby-css-parser/-/pipelines/1102614
[ Risks ]
The fix is a single-line deletion that restores the default TLS
certificate verification behavior. The change is low risk and does not
affect parsing logic, public APIs, dependencies, or package configuration.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Import the upstream fix for CVE-2026-44312, removing the explicit
disabling of HTTPS certificate verification.
* Add the patch to debian/patches/series.
* Document the stable update in debian/changelog.
diff -Nru ruby-css-parser-1.19.0/debian/changelog
ruby-css-parser-1.19.0/debian/changelog
--- ruby-css-parser-1.19.0/debian/changelog 2024-09-25 15:13:12.000000000
-0400
+++ ruby-css-parser-1.19.0/debian/changelog 2026-06-05 20:23:34.000000000
-0400
@@ -1,3 +1,11 @@
+ruby-css-parser (1.19.0-1+deb13u1) trixie; urgency=medium
+
+ * Team upload.
+ * Import upstream patch to stop disabling HTTPS certificate verification
+ when loading remote CSS. (CVE-2026-44312)
+
+ -- Aquila Macedo Costa <[email protected]> Fri, 05 Jun 2026 21:23:34 -0300
+
ruby-css-parser (1.19.0-1) unstable; urgency=medium
* New upstream version 1.19.0
diff -Nru ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch
ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch
--- ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch 1969-12-31
19:00:00.000000000 -0500
+++ ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch 2026-06-05
20:23:34.000000000 -0400
@@ -0,0 +1,22 @@
+From e0c95d5abe91b237becb90ff316531a6547ada18 Mon Sep 17 00:00:00 2001
+From: Michael Grosser <[email protected]>
+Date: Mon, 27 Apr 2026 17:10:14 -0700
+Subject: [PATCH] Merge pull request #186 from premailer/grosser/https
+
+verify ssl when loading files over https
+---
+ lib/css_parser/parser.rb | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/css_parser/parser.rb b/lib/css_parser/parser.rb
+index 11dd36f..e8d8dcb 100644
+--- a/lib/css_parser/parser.rb
++++ b/lib/css_parser/parser.rb
+@@ -646,7 +646,6 @@ module CssParser
+ uri.port = 443 unless uri.port
+ http = Net::HTTP.new(uri.host, uri.port)
+ http.use_ssl = true
+- http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+ else
+ http = Net::HTTP.new(uri.host, uri.port)
+ end
diff -Nru ruby-css-parser-1.19.0/debian/patches/series
ruby-css-parser-1.19.0/debian/patches/series
--- ruby-css-parser-1.19.0/debian/patches/series 2024-09-25
15:13:12.000000000 -0400
+++ ruby-css-parser-1.19.0/debian/patches/series 2026-06-05
20:23:34.000000000 -0400
@@ -1,2 +1,3 @@
0001-Sanitize-test-suite.patch
0002-Disable-tests-that-hit-the-network.patch
+CVE-2026-44312.patch
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---