-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2526-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta January 15, 2021 https://wiki.debian.org/LTS - -----------------------------------------------------------------------
Package : ruby-redcarpet Version : 3.3.4-2+deb9u1 CVE ID : CVE-2020-26298 Debian Bug : 980057 In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions, no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. For Debian 9 stretch, this problem has been fixed in version 3.3.4-2+deb9u1. We recommend that you upgrade your ruby-redcarpet packages. For the detailed security status of ruby-redcarpet please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-redcarpet Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmABbVYACgkQgj6WdgbD S5adqQ/9FwfgKSUYAacbG+/SXWa0Nlrx+IDl8zo1eTZ3gtLWzJvGBJwlufCvZfN6 htRhWWVLLxpsgC012GEDOvWSsvmFBZ7/JEZ9M6cNftYJFfYEwrnDiDc+G+tZxrV5 pIzfyfWXoYd+uZ4NqtLbcEoVHZJTO7kGS4NkkXNQheXpnQ+OKzMWJjfONxsM7IBN q7n7wLOKgmX7OksK2PNAlo8EBg3soso45kUJqv3Nr60Eq6ulj+mWSoC7Zo3vneUM R4GCXV6XGX1nVH8VIHYSPKQ1lobXGPzmp6bzIMis8zf/AePHjBFlcfVYRl8k8NOn ucYjoeYpQ/561Sm+DAI3WE8R3hyOeqsWR2ehN0ln4gkhyN9ddJP6GYcsU2oJ+HMG 1nIW194QWUyVwFI2I9mmFpUal35vFHnJND7BMEHoneWfyklHsoXOfDaQz8AajDS2 sEQwAM3I27yfvtPpV/HkD3ZtILbyP1rzN/zBPs0HJyH83o1mnvZEE+gz5/7HUguI ZEm+SBgCOCNjNKykZ/RCXWkVCNc3ot4R0hFDgPlxKLGx+3LintZkTeP3xxfyjoVi yo2lRHdEK1G0kUOVm1pq3nKY7eD394yTIxMb3qiUNdNbe+tJwY7+8QtqtO1qbhke 4I5fK40rzBLvzOQGrADx7ZXrtS4fqUkGBiZPsrCQmS4DcSEFn70= =y3i8 -----END PGP SIGNATURE-----
