Your message dated Mon, 18 Mar 2024 22:02:59 +0000
with message-id <[email protected]>
and subject line Bug#1065118: fixed in yard 0.9.24-1+deb11u1
has caused the Debian Bug report #1065118,
regarding yard: CVE-2024-27285
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1065118: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065118
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: yard
Version: 0.9.34-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 0.9.28-2
Control: found -1 0.9.24-1
Hi,
The following vulnerability was published for yard.
CVE-2024-27285[0]:
| YARD is a Ruby Documentation tool. The "frames.html" file within the
| Yard Doc's generated documentation is vulnerable to Cross-Site
| Scripting (XSS) attacks due to inadequate sanitization of user input
| within the JavaScript segment of the "frames.erb" template file.
| This vulnerability is fixed in 0.9.35.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-27285
https://www.cve.org/CVERecord?id=CVE-2024-27285
[1] https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
[2]
https://github.com/lsegal/yard/commit/d78fc393d603c4fc35975969296ed381146a29d4
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: yard
Source-Version: 0.9.24-1+deb11u1
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
yard, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated yard package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 Mar 2024 11:50:42 +0100
Source: yard
Architecture: source
Version: 0.9.24-1+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1065118
Changes:
yard (0.9.24-1+deb11u1) bullseye-security; urgency=medium
.
* CVE-2024-27285 (Closes: #1065118)
Checksums-Sha1:
30a2ab679b43b4066c9f234f847f58f7286dd477 2216 yard_0.9.24-1+deb11u1.dsc
4a9b3ff8417411989dc7033ad73d2bd911ea7996 932380 yard_0.9.24.orig.tar.gz
a06d5bd178ce551e43969e5bdda8ff4753da320c 81572
yard_0.9.24-1+deb11u1.debian.tar.xz
a708eacb8254ebfd9cd1a09a2d9e9d8ad0b2aa67 10260
yard_0.9.24-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
c79483fc0153feb36b962d7755ef54eaedc74e4ac2eb531c0542f8ffa2bd2c66 2216
yard_0.9.24-1+deb11u1.dsc
8564af44f471d9b2b08a72426308bb1e507de4784d3fca70cbe56f75ee983151 932380
yard_0.9.24.orig.tar.gz
aef9aef1ae514cae54d52bf23608e269772a903cda1ce67aabacbc53139a85a7 81572
yard_0.9.24-1+deb11u1.debian.tar.xz
7dcfb5cd2a574f143dfcfa3b09771cb11d5b50efa216e503b97fef412cbd6cb4 10260
yard_0.9.24-1+deb11u1_amd64.buildinfo
Files:
c36fb78f6314e40452f3005f97f9b9cd 2216 ruby optional yard_0.9.24-1+deb11u1.dsc
030152149e8915b2c7069d9bafbd17d7 932380 ruby optional yard_0.9.24.orig.tar.gz
f61293da7f3b2388a81c99e4855adbb8 81572 ruby optional
yard_0.9.24-1+deb11u1.debian.tar.xz
3aeb3039845afbcc6a60efac1398f714 10260 ruby optional
yard_0.9.24-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXhthkACgkQEMKTtsN8
TjYivA//ZtWqD4ivV4Le+LMjYTGI94a/YnZuRtw2rBM9ev+mz2x+Pb+FrJhVKWCL
Z4Vt2HYSLft1PMYrp1dAKYl9cQhBNlTc9aewz9TCcCtFoNTwOQFhnr7p9euuZWyi
I4iJX0o2ywdeffBGmXyGrYOEm9/nvYprShfi1r3xO6ryob39huHZORW64c1AWn/C
C1KctQdkmRwi5aTMjeOFTXRLlp0ZJGUeVxeCOl+IQMp17umGLcU40tPE56U9uieL
7V8dvyniQuetsLxinLjJyFfVIU4eFB16wzRq5ymv2ynn8PJ+jNPieAUHj3ynPiTT
qUIqey7Qfq0bVmTGRIY5D+opFVPCJzeyhZuwDM7p1HlxmAuinPqmiozK5Z8i4YGv
7Q98+kGCCWRYzgbPqyKFEKXUHtD4yxYautSqowGYpC8K3nQ/znfAt9JBgeF9Acbs
kjqgMApohz7bdE93zUwvFoNWTorek+XaKTwHAAz4FtGzTaKguVM1LuyHBc4ybZtt
bwEWRsSCKt1aPsgDaPqDyVZA0IcCYW+E8WVsj0YTjQXUB8udWKiBQv+rRMy71UXP
U04W/4MFaAh60XhuF0c2AVQ/nQ8/uIg0Ks/72yuGh5t6rZH3oW5uw8UmZdmoGxe8
SWIb1/K51hGf9e4ThMO+7Uq4eHmNUNOVFm+Ux/ydFNAbBmwTyVg=
=5aXv
-----END PGP SIGNATURE-----
pgpWNwWUbKqOu.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
