Debian Bug report logs -
#893610
ruby-sanitize: CVE-2018-3740
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#893610; Package src:ruby-sanitize.
(Tue, 20 Mar 2018 12:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Tue, 20 Mar 2018 12:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-sanitize
Version: 2.1.0-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/rgrove/sanitize/issues/176
Hi,
the following vulnerability was published for ruby-sanitize.
CVE-2018-3740[0]:
Sanitize HTML injection vulnerability
Code has changed quite a bit (e.g. 'clean' -> 'frament' method change
in v3.0.0, but the underlying issue seems present in 2.1.0 based
version as well afaics).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-3740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3740
[1] https://github.com/rgrove/sanitize/issues/176
[2] https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 20 Mar 2018 13:30:11 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 26 Mar 2018 17:36:31 GMT) (full text, mbox, link).
Reply sent
to Pirate Praveen <praveen@debian.org>:
You have taken responsibility.
(Wed, 13 Jun 2018 11:39:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 13 Jun 2018 11:39:07 GMT) (full text, mbox, link).
Message #14 received at 893610-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-sanitize
Source-Version: 4.6.5-1
We believe that the bug you reported is fixed in the latest version of
ruby-sanitize, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893610@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated ruby-sanitize package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Jun 2018 16:27:12 +0530
Source: ruby-sanitize
Binary: ruby-sanitize
Architecture: source
Version: 4.6.5-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
ruby-sanitize - whitelist-based HTML sanitizer
Closes: 893610
Changes:
ruby-sanitize (4.6.5-1) experimental; urgency=medium
.
* Team upload
.
[ Cédric Boutillier ]
* Remove version in the gem2deb build-dependency
* Use https:// in Vcs-* fields
* Use https:// in Vcs-* fields
.
[ Pirate Praveen ]
* New upstream version 4.6.5 (Closes: #893610) (Fixes: CVE-2018-3740)
* Bump Standards-Version to 4.1.4 (no changes needed)
* Bump debhelper compatibility level to 11
* Use salsa.debian.org in Vcs-* fields
* Update gemwatch url
* Update dependencies, add Testsuite field
* Check dependencies during build
Checksums-Sha1:
0f9a88f29f52a6f9cb61ddca151facc03f342f11 2135 ruby-sanitize_4.6.5-1.dsc
5328dae21f66cb7ddb491320ea4818a47219ef0f 39804 ruby-sanitize_4.6.5.orig.tar.gz
a5836ec6d1475c1897c1bce7b30b5eda573e4bee 2596 ruby-sanitize_4.6.5-1.debian.tar.xz
5f4a9ba7db3cca83fae801f55d8bc4a534e61918 6332 ruby-sanitize_4.6.5-1_source.buildinfo
Checksums-Sha256:
2454a3433e928e52275ce3b1a7d76367350ff3a52f93a24f2c0608cac4425658 2135 ruby-sanitize_4.6.5-1.dsc
ff31e903e0316b191767fd638317ff6a118181c24382c093cfc9613ab11c55ee 39804 ruby-sanitize_4.6.5.orig.tar.gz
e7a56bd623581c0bf56751ed5dd9d600fc1c7e86ecd26031eeb8f6fe19ef4eee 2596 ruby-sanitize_4.6.5-1.debian.tar.xz
f46f30818e3725036462535ee46a346eeb545ead6ef0109c672d8fcb9e54244d 6332 ruby-sanitize_4.6.5-1_source.buildinfo
Files:
83e72f50eb5bc822dd32c5b65904f0af 2135 ruby optional ruby-sanitize_4.6.5-1.dsc
9f36d891a29daf1d8dc5a744625b81a2 39804 ruby optional ruby-sanitize_4.6.5.orig.tar.gz
00ef7bacc8fea07c87089bb39770bab8 2596 ruby optional ruby-sanitize_4.6.5-1.debian.tar.xz
b9fa40f6833e6504b199109768300989 6332 ruby optional ruby-sanitize_4.6.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlsg/acACgkQzh+cZ0US
wioyaA/+OzqV0kvtMeAFukgHylYkMgLIGnwXdBeCcboKui11O+OJDGRGuyPZuJcW
/lbHerX4ZwdgbZ5S1ufRYd8FwjT9VnhbiJa2TzwZLWFgzgDrVPcu8C7mpj/mn7Bq
COMzSdhs6/+ZCa5FVL+OoBAZ3oB3ywVUrpHi5O7QF4zNL9fg7veYlfQBi6gc9g1l
61fQ3c2I6ptbUw+++ULTjCk7LUhtZzwLr1cwTI9Cn3++00OmPj+nItsSwzP2wSex
Rbf2pBIo94brGRgUKkPgULwxA3ipQIR3TzyMb35xPKpfDx3d9LEmLAoN4bVq9ee5
Y3aoKkMVoGxNhG7LGpG1cG/S8SGOQhKjpiQoljmYex9xnckS4JIimufgOs0g/UfT
/4M36WlZc4RWKi0OLlQ6WqfAYVp80waTpptQHk4mh4uC9z+SABu5P2VfXEj8HhNu
f3IYFZy587LVShI7UQXd5a5m8qE1Du1fEf4xwFQvbq4DPFYRGrSo+VTBqms9HR1I
98smp9G3mBAP2LpZwwz1QSg9wrMYMl5DmJffp5GOwOJ/UkhL7ZFHZzVpwU3DEzgI
Fx5/gZGbwh/yDpkl5ApfjWBKqKUVR438ykXO0A2dW8TuFcoRwll8LyxlU8aOniOw
wT1uT3UVJsB/dc4Q1CmMHLMw6b+yiY7OPpm2qlmjxr5p46lmNj8=
=fdYI
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#893610; Package src:ruby-sanitize.
(Sun, 29 Jul 2018 06:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sun, 29 Jul 2018 06:39:04 GMT) (full text, mbox, link).
Message #19 received at 893610@bugs.debian.org (full text, mbox, reply):
Hi!
On Wed, Jun 13, 2018 at 11:39:07AM +0000, Debian Bug Tracking System wrote:
> ruby-sanitize (4.6.5-1) experimental; urgency=medium
[...]
> [ Pirate Praveen ]
> * New upstream version 4.6.5 (Closes: #893610) (Fixes: CVE-2018-3740)
Any plans for moving this to unstable, or is anything blocking it?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#893610; Package src:ruby-sanitize.
(Tue, 31 Jul 2018 09:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Pirate Praveen <praveen@onenetbeyond.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Tue, 31 Jul 2018 09:45:04 GMT) (full text, mbox, link).
Message #24 received at 893610@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 29/07/18 12:04 PM, Salvatore Bonaccorso wrote:
> Any plans for moving this to unstable, or is anything blocking it?
ruby-gollum-lib needs an update along with ruby-sanitize, but this
ruby-gollum-lib update also needs a newer ruby-rouge. Updating
ruby-rouge requires an update to jekyll, which is in progress (requires
some new dependencies).
In short, once we are ready to upload jekyll to unstable, we can upload
ruby-sanitize also to unstable.
[signature.asc (application/pgp-signature, attachment)]
Added blocking bug(s) of 893610: 902504
Request was from Pirate Praveen <praveen@debian.org>
to control@bugs.debian.org.
(Tue, 31 Jul 2018 09:57:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#893610; Package src:ruby-sanitize.
(Tue, 31 Jul 2018 10:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Tue, 31 Jul 2018 10:33:03 GMT) (full text, mbox, link).
Message #31 received at 893610@bugs.debian.org (full text, mbox, reply):
Hi,
On Tue, Jul 31, 2018 at 03:09:52PM +0530, Pirate Praveen wrote:
> On 29/07/18 12:04 PM, Salvatore Bonaccorso wrote:
> > Any plans for moving this to unstable, or is anything blocking it?
>
> ruby-gollum-lib needs an update along with ruby-sanitize, but this
> ruby-gollum-lib update also needs a newer ruby-rouge. Updating
> ruby-rouge requires an update to jekyll, which is in progress (requires
> some new dependencies).
>
> In short, once we are ready to upload jekyll to unstable, we can upload
> ruby-sanitize also to unstable.
Alright, thanks for the update!
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 30 Dec 2018 22:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 30 Dec 2018 22:06:03 GMT) (full text, mbox, link).
Message #36 received at 893610-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-sanitize
Source-Version: 2.1.0-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
ruby-sanitize, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893610@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ruby-sanitize package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 26 Dec 2018 23:32:37 +0100
Source: ruby-sanitize
Binary: ruby-sanitize
Architecture: source
Version: 2.1.0-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
ruby-sanitize - whitelist-based HTML sanitizer
Closes: 893610
Changes:
ruby-sanitize (2.1.0-2+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Inproper filtering by libxml2 leads to HTML injection vulnerability
(CVE-2018-3740) (Closes: #893610)
* Drop fix-tests-sanitize.patch patch
Checksums-Sha1:
f51df99ccb8d3d735ca58ddf635a2c39b409660e 2277 ruby-sanitize_2.1.0-2+deb9u1.dsc
3b41fa38108feb1a692f93ef97c2f2b0a249162f 18119 ruby-sanitize_2.1.0.orig.tar.gz
dc729a54e5395d1a81d5fcd8b3cb884835a62a50 7836 ruby-sanitize_2.1.0-2+deb9u1.debian.tar.xz
18e69af8ead72fbda876e1b43960d2113abb41cb 6141 ruby-sanitize_2.1.0-2+deb9u1_source.buildinfo
Checksums-Sha256:
2059daf6821fc596640fea134a49f53ec605b5b0c49af3fdd6170fc61c1e492b 2277 ruby-sanitize_2.1.0-2+deb9u1.dsc
3b6aaf24987ad656bc240905fbca73508b1d0c39411f2c84997125b3d00571e5 18119 ruby-sanitize_2.1.0.orig.tar.gz
af2e229707f4ba876955c42d2e2eb8881f4f066962b9acc7aaf15afc4d8f363d 7836 ruby-sanitize_2.1.0-2+deb9u1.debian.tar.xz
6c05dfffebdcf69587b0a49f302ca6e9cd320f1da8c968597136f5d1bb59ab3f 6141 ruby-sanitize_2.1.0-2+deb9u1_source.buildinfo
Files:
a701c67ddedf887de041605bde4c3184 2277 ruby optional ruby-sanitize_2.1.0-2+deb9u1.dsc
4b4e629451f8cad1bb9c83b90c794d88 18119 ruby optional ruby-sanitize_2.1.0.orig.tar.gz
527187827f1eab4f378f0d7b3f30bc5a 7836 ruby optional ruby-sanitize_2.1.0-2+deb9u1.debian.tar.xz
1773f3a8eec3dfc3beec7f4894d2811c 6141 ruby optional ruby-sanitize_2.1.0-2+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwkAoNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Emi4P/2vSN5wY88PZx43rZ+A7Ve7s7MEU/zBQ
Izxlg5++f0kC7vD44buV30MUEw8tivdKj/QobMMZA1+v4pM0jJTQ+rRNVsQh/LBT
yHGQuobconlj+Ahaggz0g4bwZpPZK38V+TqWFR4ghxktW/sg2DNqzqFea9az/6hn
EDJfYvO94EQFYeW0UCA93D45Y14jciKekbiGc7WTQ8KAkkuNCwnv5SauaZkPZO2o
QBB72hDNO+idfDk5l64aK7NWE1hRANcLYfwjXxB/XEP9XwU3a+/LpXATNtyKM4JB
39Iw2oJtd3vQIvUxZ3ABRYQ6TCEDw7XdBOOmFk3/XNf5Z6pdNluMno96GnOfyYJU
6At7ebG4c/gwhbjnF2J3TlumBZlmS4dxN2z9wnPzc4Rf+DB5KJ3paAmmcFBht2hz
GjrrV3xqCRGEk0ovQxdmH7xVBXW9s4/355tuAe0AJ/dhxcDX/wfzRK+IyM/Bs0tK
YZvpE0lCryZxg8h6xXb0GPeI4dfwfWGGipQXtEuze9VY3hqMl3ktgReJ269jF3nf
LJE9z7Z806ghLzM7DGAME7ldk8R1CBOO89XRoglArcCBe75hk3PRzDYuXvAdyf5y
b84a0Kl/4imgvpnLJcFlRYO6Ra6wCY39AN5Dfo2eRHYiJm7P7FkUhvhk8TMDsnnA
TLpBKnOTOqaC
=7YGY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Feb 2019 07:25:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:46:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon