Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Security: XSS bug in Loofah

Related Vulnerabilities: CVE-2022-23515  

Source

Debian Bug report logs - #1026083
Security: XSS bug in Loofah

version graph

Package: ruby-loofah; Maintainer for ruby-loofah is Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for ruby-loofah is src:ruby-loofah (PTS, buildd, popcon).

Affects: ruby-loofah/2.2.2-1~bpo9+1, ruby-loofah/2.4.0+dfsg-1~bpo10+1, ruby-loofah/2.1.0, ruby-loofah/2.2.3-1+deb10u1, ruby-loofah/2.7.0+dfsg-1

Reported by: Hans-Christoph Steiner <hans@eds.org>

Date: Wed, 14 Dec 2022 12:27:01 UTC

Severity: serious

Tags: fixed-upstream, help, security, upstream

Found in versions ruby-loofah/2.2.2-1~bpo9+1, ruby-loofah/2.7.0+dfsg-1, ruby-loofah/2.2.3-1+deb10u1, ruby-loofah/2.4.0+dfsg-1~bpo10+1, ruby-loofah/2.1.0, ruby-loofah/2.19.0-1

Fixed in version ruby-loofah/2.19.1-1

Done: Hans-Christoph Steiner <hans@eds.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#1026083; Package ruby-loofah. (Wed, 14 Dec 2022 12:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Hans-Christoph Steiner <hans@eds.org>:
New Bug report received and forwarded. Copy sent to Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 14 Dec 2022 12:27:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hans-Christoph Steiner <hans@eds.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: Sylvia van Os <sylvia@hackerchick.me>, Mohammed Bilal <mdbilal@disroot.org>
Subject: Security: XSS bug in Loofah
Date: Wed, 14 Dec 2022 13:21:55 +0100
Package: ruby-loofah
Version: 2.19.0-1
Severity: serious

control: affects -1 ruby-loofah/2.1.0
control: affects -1 ruby-loofah/2.7.0+dfsg-1
control: tags -1 fixed-upstream security help

An XSS issue has been discovered in Loofah:
https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx

It is fixed in the upstream release v2.19.1.

Added indication that 1026083 affects ruby-loofah/2.1.0 Request was from Hans-Christoph Steiner <hans@eds.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 12:48:03 GMT) (full text, mbox, link).

Added indication that 1026083 affects ruby-loofah/2.7.0+dfsg-1 Request was from Hans-Christoph Steiner <hans@eds.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 12:48:03 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream, help, and security. Request was from Hans-Christoph Steiner <hans@eds.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 12:48:04 GMT) (full text, mbox, link).

Added indication that 1026083 affects ruby-loofah/2.2.2-1~bpo9+1 Request was from Hans-Christoph Steiner <hans@eds.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 12:54:03 GMT) (full text, mbox, link).

Added indication that 1026083 affects ruby-loofah/2.2.3-1+deb10u1 Request was from Hans-Christoph Steiner <hans@eds.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 12:54:03 GMT) (full text, mbox, link).

Added indication that 1026083 affects ruby-loofah/2.4.0+dfsg-1~bpo10+1 Request was from Hans-Christoph Steiner <hans@eds.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 12:54:04 GMT) (full text, mbox, link).

Marked as found in versions ruby-loofah/2.1.0. Request was from Hans-Christoph Steiner <hans@eds.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 13:00:03 GMT) (full text, mbox, link).

Marked as found in versions ruby-loofah/2.7.0+dfsg-1. Request was from Hans-Christoph Steiner <hans@eds.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 13:00:04 GMT) (full text, mbox, link).

Marked as found in versions ruby-loofah/2.2.2-1~bpo9+1. Request was from Hans-Christoph Steiner <hans@eds.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 13:00:04 GMT) (full text, mbox, link).

Marked as found in versions ruby-loofah/2.2.3-1+deb10u1. Request was from Hans-Christoph Steiner <hans@eds.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 13:00:05 GMT) (full text, mbox, link).

Marked as found in versions ruby-loofah/2.4.0+dfsg-1~bpo10+1. Request was from Hans-Christoph Steiner <hans@eds.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 13:00:05 GMT) (full text, mbox, link).

Reply sent to Hans-Christoph Steiner <hans@eds.org>:
You have taken responsibility. (Wed, 14 Dec 2022 13:45:05 GMT) (full text, mbox, link).

Notification sent to Hans-Christoph Steiner <hans@eds.org>:
Bug acknowledged by developer. (Wed, 14 Dec 2022 13:45:05 GMT) (full text, mbox, link).

Message #32 received at 1026083-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1026083-close@bugs.debian.org
Subject: Bug#1026083: fixed in ruby-loofah 2.19.1-1
Date: Wed, 14 Dec 2022 13:42:59 +0000
Source: ruby-loofah
Source-Version: 2.19.1-1
Done: Hans-Christoph Steiner <hans@eds.org>

We believe that the bug you reported is fixed in the latest version of
ruby-loofah, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1026083@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hans-Christoph Steiner <hans@eds.org> (supplier of updated ruby-loofah package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 14 Dec 2022 13:36:17 +0100
Source: ruby-loofah
Architecture: source
Version: 2.19.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Hans-Christoph Steiner <hans@eds.org>
Closes: 1026083
Changes:
 ruby-loofah (2.19.1-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 2.19.1 (Closes: #1026083) (CVE-2022-23515)
Checksums-Sha1:
 e73f996106e40474cc50a57256d47f78ddef327a 1823 ruby-loofah_2.19.1-1.dsc
 f8677409dac451de4cb4dac81eab10b79c2ae8f0 24572 ruby-loofah_2.19.1.orig.tar.xz
 747a10958b8a3a730466df95430c8170d5e4155a 4088 ruby-loofah_2.19.1-1.debian.tar.xz
 96a6f1bf02a7314cd1a1d0c09dec0fb6ebc1aeaf 12665 ruby-loofah_2.19.1-1_source.buildinfo
Checksums-Sha256:
 86aa6fe5cf1249b2a1f4d13d1fbe10468a3e183e8fca3d0ab1888310d00f380e 1823 ruby-loofah_2.19.1-1.dsc
 f80bcbddde17c5c6cbe4eb262e8336c75a236f6b71525cde3b5f52ea2eb7b2e7 24572 ruby-loofah_2.19.1.orig.tar.xz
 81f859d725cb4b37ab28f6c67cc8200eb418067f9200715d5d0780cd12b40160 4088 ruby-loofah_2.19.1-1.debian.tar.xz
 a838fdaa5c39badea9989dbcc1fef558b387c681d8b518096571df454cc8aefc 12665 ruby-loofah_2.19.1-1_source.buildinfo
Files:
 2cd021a617e17004a18e8ad247c02dfe 1823 ruby optional ruby-loofah_2.19.1-1.dsc
 e90fdf270ff57fc75bca5f20f56c99e8 24572 ruby optional ruby-loofah_2.19.1.orig.tar.xz
 b3bca4e6af235aa44ed127cfb6a5e1ac 4088 ruby optional ruby-loofah_2.19.1-1.debian.tar.xz
 2f079fd122311fe5b64847e7024dd141 12665 ruby optional ruby-loofah_2.19.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEElyI52+aGmfUmwGoFPhd4F7obm/oFAmOZxOQACgkQPhd4F7ob
m/rUYwf/YO8S4Ojw3+XL0+m9xl25k3eetpD5UkD3DbNELd4sxcTwMcsTO5gVn1wq
Tt7a0URwbqzqn0rFwJEJeyTPgAOU3GKcNkKkMbOsfQ8T0pO7XywkWlhs1YKX/Id/
Z+q9bSxfHzgaKNX6k2YyJup7pYb3YqAwdHFo5iiULvmz+TJ1vDyj9F5dxmBUqyZr
xG7JWvOlOXAl61JXeVnIFT8BSi/jodFri6e/D//dT2vdS3XC31azhynPvNoWNGeo
Q2ZIrNJQgNUxu1ryHWo2oF72B6rUqLQ42JlehyVhkRRLLjBNVrh/TcyXFliqrh4i
IbjFkkPD7eBF74UqipYPOjNcip02Fw==
=13Zh
-----END PGP SIGNATURE-----

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 14 Dec 2022 16:15:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Dec 15 07:20:02 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started