Your message dated Sat, 11 Jul 2026 10:42:31 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1138989,
regarding bookworm-pu: package ruby-css-parser/1.6.0-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138989: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138989
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:ruby-css-parser
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: [email protected]
Severity: normal

[ Reason ]
ruby-css-parser explicitly disables TLS certificate verification when loading CSS from HTTPS URLs by setting OpenSSL::SSL::VERIFY_NONE.

This allows a man-in-the-middle attacker to provide modified CSS content to applications using ruby-css-parser to load remote stylesheets.

The issue is tracked as CVE-2026-44312. It is not a regression relative to previous Debian releases, the vulnerable code has existed since at least upstream version 1.3.6.

[ Impact ]
Without this update, HTTPS connections made by ruby-css-parser do not authenticate the remote server. Applications loading remote CSS can therefore receive attacker-controlled content despite using HTTPS.

[ Tests ]
All enabled jobs passed, including the package build, autopkgtest, reverse dependencies tests, and other Salsa CI checks:

https://salsa.debian.org/aquila/ruby-css-parser/-/pipelines/1102627

[ Risks ]
The fix is a single-line deletion that restores the default TLS certificate verification behavior. The change is low risk and does not affect parsing logic, public APIs, dependencies, or package configuration.

Connections to servers using invalid or untrusted certificates will now fail, which is the intended behavior.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* Import the upstream fix for CVE-2026-44312, removing the explicit disabling of HTTPS certificate verification.
* Add the patch to debian/patches/series.
* Document the stable update in debian/changelog.
diff -Nru ruby-css-parser-1.6.0/debian/changelog 
ruby-css-parser-1.6.0/debian/changelog
--- ruby-css-parser-1.6.0/debian/changelog      2021-11-15 12:42:36.000000000 
-0500
+++ ruby-css-parser-1.6.0/debian/changelog      2026-05-24 16:05:02.000000000 
-0400
@@ -1,3 +1,11 @@
+ruby-css-parser (1.6.0-2+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Import upstream patch to stop disabling HTTPS certificate verification
+    when loading remote CSS. (CVE-2026-44312)
+
+ -- Aquila Macedo Costa <[email protected]>  Sun, 24 May 2026 16:05:02 -0400
+
 ruby-css-parser (1.6.0-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru ruby-css-parser-1.6.0/debian/patches/CVE-2026-44312.patch 
ruby-css-parser-1.6.0/debian/patches/CVE-2026-44312.patch
--- ruby-css-parser-1.6.0/debian/patches/CVE-2026-44312.patch   1969-12-31 
19:00:00.000000000 -0500
+++ ruby-css-parser-1.6.0/debian/patches/CVE-2026-44312.patch   2026-05-24 
16:05:02.000000000 -0400
@@ -0,0 +1,22 @@
+From e0c95d5abe91b237becb90ff316531a6547ada18 Mon Sep 17 00:00:00 2001
+From: Michael Grosser <[email protected]>
+Date: Mon, 27 Apr 2026 17:10:14 -0700
+Subject: [PATCH] Merge pull request #186 from premailer/grosser/https
+
+verify ssl when loading files over https
+---
+ lib/css_parser/parser.rb | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/css_parser/parser.rb b/lib/css_parser/parser.rb
+index 4312c87..3fb4711 100644
+--- a/lib/css_parser/parser.rb
++++ b/lib/css_parser/parser.rb
+@@ -583,7 +583,6 @@ module CssParser
+             uri.port = 443 unless uri.port
+             http = Net::HTTP.new(uri.host, uri.port)
+             http.use_ssl = true
+-            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+           else
+             http = Net::HTTP.new(uri.host, uri.port)
+           end
diff -Nru ruby-css-parser-1.6.0/debian/patches/series 
ruby-css-parser-1.6.0/debian/patches/series
--- ruby-css-parser-1.6.0/debian/patches/series 2021-11-15 12:42:36.000000000 
-0500
+++ ruby-css-parser-1.6.0/debian/patches/series 2026-05-24 16:05:02.000000000 
-0400
@@ -1,2 +1,3 @@
 0001-Sanitize-test-suite.patch
 0002-Disable-tests-that-hit-the-network.patch
+CVE-2026-44312.patch

--- End Message ---
--- Begin Message ---
Version: 12.15

This update was released as part of 12.15.

--- End Message ---

Reply via email to