Package: release.debian.org
Control: affects -1 + src:ruby-css-parser
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: trixie
X-Debbugs-Cc: [email protected]
Severity: normal
[ Reason ]
ruby-css-parser explicitly disables TLS certificate verification when
loading CSS from HTTPS URLs by setting OpenSSL::SSL::VERIFY_NONE.
This allows a man-in-the-middle attacker to provide modified CSS content
to applications using ruby-css-parser to load remote stylesheets.
The issue is tracked as CVE-2026-44312. It is not a regression relative
to previous Debian releases, the vulnerable code has existed since at
least upstream version 1.3.6.
[ Impact ]
Without this update, HTTPS connections made by ruby-css-parser do not
authenticate the remote server. Applications loading remote CSS can
therefore receive attacker-controlled content despite using HTTPS.
[ Tests ]
All enabled jobs passed, including the package build, autopkgtest,
reverse dependencies tests, and other Salsa CI checks:
https://salsa.debian.org/aquila/ruby-css-parser/-/pipelines/1102614
[ Risks ]
The fix is a single-line deletion that restores the default TLS
certificate verification behavior. The change is low risk and does not
affect parsing logic, public APIs, dependencies, or package configuration.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Import the upstream fix for CVE-2026-44312, removing the explicit
disabling of HTTPS certificate verification.
* Add the patch to debian/patches/series.
* Document the stable update in debian/changelog.
diff -Nru ruby-css-parser-1.19.0/debian/changelog
ruby-css-parser-1.19.0/debian/changelog
--- ruby-css-parser-1.19.0/debian/changelog 2024-09-25 15:13:12.000000000
-0400
+++ ruby-css-parser-1.19.0/debian/changelog 2026-06-05 20:23:34.000000000
-0400
@@ -1,3 +1,11 @@
+ruby-css-parser (1.19.0-1+deb13u1) trixie; urgency=medium
+
+ * Team upload.
+ * Import upstream patch to stop disabling HTTPS certificate verification
+ when loading remote CSS. (CVE-2026-44312)
+
+ -- Aquila Macedo Costa <[email protected]> Fri, 05 Jun 2026 21:23:34 -0300
+
ruby-css-parser (1.19.0-1) unstable; urgency=medium
* New upstream version 1.19.0
diff -Nru ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch
ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch
--- ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch 1969-12-31
19:00:00.000000000 -0500
+++ ruby-css-parser-1.19.0/debian/patches/CVE-2026-44312.patch 2026-06-05
20:23:34.000000000 -0400
@@ -0,0 +1,22 @@
+From e0c95d5abe91b237becb90ff316531a6547ada18 Mon Sep 17 00:00:00 2001
+From: Michael Grosser <[email protected]>
+Date: Mon, 27 Apr 2026 17:10:14 -0700
+Subject: [PATCH] Merge pull request #186 from premailer/grosser/https
+
+verify ssl when loading files over https
+---
+ lib/css_parser/parser.rb | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/css_parser/parser.rb b/lib/css_parser/parser.rb
+index 11dd36f..e8d8dcb 100644
+--- a/lib/css_parser/parser.rb
++++ b/lib/css_parser/parser.rb
+@@ -646,7 +646,6 @@ module CssParser
+ uri.port = 443 unless uri.port
+ http = Net::HTTP.new(uri.host, uri.port)
+ http.use_ssl = true
+- http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+ else
+ http = Net::HTTP.new(uri.host, uri.port)
+ end
diff -Nru ruby-css-parser-1.19.0/debian/patches/series
ruby-css-parser-1.19.0/debian/patches/series
--- ruby-css-parser-1.19.0/debian/patches/series 2024-09-25
15:13:12.000000000 -0400
+++ ruby-css-parser-1.19.0/debian/patches/series 2026-06-05
20:23:34.000000000 -0400
@@ -1,2 +1,3 @@
0001-Sanitize-test-suite.patch
0002-Disable-tests-that-hit-the-network.patch
+CVE-2026-44312.patch
