Your message dated Sat, 11 Jul 2026 10:32:49 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1138988,
regarding trixie-pu: package ruby-css-parser/1.19.0-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138988: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138988
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:ruby-css-parser
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: trixie
X-Debbugs-Cc: [email protected]
Severity: normal

[ Reason ]
ruby-css-parser explicitly disables TLS certificate verification when loading CSS from HTTPS URLs by setting OpenSSL::SSL::VERIFY_NONE.

This allows a man-in-the-middle attacker to provide modified CSS content to applications using ruby-css-parser to load remote stylesheets.

The issue is tracked as CVE-2026-44312. It is not a regression relative to previous Debian releases, the vulnerable code has existed since at least upstream version 1.3.6.

[ Impact ]
Without this update, HTTPS connections made by ruby-css-parser do not authenticate the remote server. Applications loading remote CSS can therefore receive attacker-controlled content despite using HTTPS.

[ Tests ]
All enabled jobs passed, including the package build, autopkgtest, reverse dependencies tests, and other Salsa CI checks:

https://salsa.debian.org/aquila/ruby-css-parser/-/pipelines/1102614

[ Risks ]
The fix is a single-line deletion that restores the default TLS certificate verification behavior. The change is low risk and does not affect parsing logic, public APIs, dependencies, or package configuration.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* Import the upstream fix for CVE-2026-44312, removing the explicit disabling of HTTPS certificate verification.
* Add the patch to debian/patches/series.
* Document the stable update in debian/changelog.
diff -Nru ruby-css-parser-1.19.0/debian/changelog 
ruby-css-parser-1.19.0/debian/changelog
--- ruby-css-parser-1.19.0/debian/changelog     2024-09-25 15:13:12.000000000 
-0400
+++ ruby-css-parser-1.19.0/debian/changelog     2026-06-05 20:23:34.000000000 
-0400
@@ -1,3 +1,11 @@
+ruby-css-parser (1.19.0-1+deb13u1) trixie; urgency=medium
+
+  * Team upload.
+  * Import upstream patch to stop disabling HTTPS certificate verification
+    when loading remote CSS. (CVE-2026-44312)
+
+ -- Aquila Macedo Costa <[email protected]>  Fri, 05 Jun 2026 21:23:34 -0300
+
 ruby-css-parser (1.19.0-1) unstable; urgency=medium
 
   * New upstream version 1.19.0
diff -Nru ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch 
ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch
--- ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch  1969-12-31 
19:00:00.000000000 -0500
+++ ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch  2026-06-05 
20:23:34.000000000 -0400
@@ -0,0 +1,22 @@
+From e0c95d5abe91b237becb90ff316531a6547ada18 Mon Sep 17 00:00:00 2001
+From: Michael Grosser <[email protected]>
+Date: Mon, 27 Apr 2026 17:10:14 -0700
+Subject: [PATCH] Merge pull request #186 from premailer/grosser/https
+
+verify ssl when loading files over https
+---
+ lib/css_parser/parser.rb | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/css_parser/parser.rb b/lib/css_parser/parser.rb
+index 11dd36f..e8d8dcb 100644
+--- a/lib/css_parser/parser.rb
++++ b/lib/css_parser/parser.rb
+@@ -646,7 +646,6 @@ module CssParser
+             uri.port = 443 unless uri.port
+             http = Net::HTTP.new(uri.host, uri.port)
+             http.use_ssl = true
+-            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+           else
+             http = Net::HTTP.new(uri.host, uri.port)
+           end
diff -Nru ruby-css-parser-1.19.0/debian/patches/series 
ruby-css-parser-1.19.0/debian/patches/series
--- ruby-css-parser-1.19.0/debian/patches/series        2024-09-25 
15:13:12.000000000 -0400
+++ ruby-css-parser-1.19.0/debian/patches/series        2026-06-05 
20:23:34.000000000 -0400
@@ -1,2 +1,3 @@
 0001-Sanitize-test-suite.patch
 0002-Disable-tests-that-hit-the-network.patch
+CVE-2026-44312.patch

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to