Debian Bug report logs -
#893596
ruby-loofah: CVE-2018-8048
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#893596; Package src:ruby-loofah.
(Tue, 20 Mar 2018 09:15:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Tue, 20 Mar 2018 09:15:18 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-loofah
Version: 2.0.3-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/flavorjones/loofah/issues/144
Hi,
the following vulnerability was published for ruby-loofah.
CVE-2018-8048[0]:
XSS vulnerability
The issue is actually raised by an underlying issue in libxml2, but
the CVE is specifically assigned for the loofah fix.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8048
[1] https://github.com/flavorjones/loofah/issues/144
[2] https://github.com/flavorjones/loofah/commit/4a08c25a603654f2fc505a7d2bf0c35a39870ad7
Regards,
Salvatore
Added tag(s) pending and confirmed.
Request was from Georg Faerber <georg@riseup.net>
to control@bugs.debian.org.
(Thu, 22 Mar 2018 00:42:03 GMT) (full text, mbox, link).
Reply sent
to Georg Faerber <georg@riseup.net>:
You have taken responsibility.
(Thu, 22 Mar 2018 13:24:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 22 Mar 2018 13:24:06 GMT) (full text, mbox, link).
Message #12 received at 893596-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-loofah
Source-Version: 2.2.1-1
We believe that the bug you reported is fixed in the latest version of
ruby-loofah, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Georg Faerber <georg@riseup.net> (supplier of updated ruby-loofah package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Mar 2018 23:10:40 +0100
Source: ruby-loofah
Binary: ruby-loofah
Architecture: source
Version: 2.2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Georg Faerber <georg@riseup.net>
Description:
ruby-loofah - manipulation and transformation of HTML/XML documents and fragmen
Closes: 893596
Changes:
ruby-loofah (2.2.1-1) unstable; urgency=medium
.
* New upstream release:
- Includes fix to prevent cross-site scripting via libxml2.
(Closes: #893596) (CVE-2018-8048)
* debian/changelog: Remove trailing whitespace.
* debian/compat: Bump debhelper compatibility level to 11.
* debian/control:
- Use salsa.debian.org in Vcs-* fields.
- Bump Standards-Version to 4.1.3 (no changes needed).
- Bump required debhelper version to >= 11~.
- Add ruby-crass as (build) dependency.
- Add myself as Uploader.
* debian/copyright:
- Use HTTPS in link to copyright format specification.
- Update Debian packaging authors.
* debian/patches: Drop obsolete patch to fix failing specs. This was
integrated upstream.
* debian/ruby-loofah.docs: Install upstream README.
* debian/watch: Use version 4 and HTTPS in link to gemwatch service.
Checksums-Sha1:
f7420f647243f69ba519a9ab0a278a386046dcc1 1825 ruby-loofah_2.2.1-1.dsc
90dfcae4f331cfaf8ef8d8d61c86e799fb2b92b7 61655 ruby-loofah_2.2.1.orig.tar.gz
6439aef57208d3df262315086066215e94564539 3220 ruby-loofah_2.2.1-1.debian.tar.xz
27ac9889a22e05599a833509f377d8e2ae9e4b49 6414 ruby-loofah_2.2.1-1_source.buildinfo
Checksums-Sha256:
cae441f27ef26c8f48f44f8d9fb3757cdf566ec08d97dc471b51897081afa420 1825 ruby-loofah_2.2.1-1.dsc
e40af51de9d1a273f57fab0a073ae09e72bb053242c5c477d07e8c6fd8bc9e69 61655 ruby-loofah_2.2.1.orig.tar.gz
adfbb60d6a37779c8d46e2efa2fa3ae95de7ac5d63c24272d6580d5c97a721b3 3220 ruby-loofah_2.2.1-1.debian.tar.xz
ec2b7e35c0594f6df69a0d04fa2ce87622a2168fa56ad3969eabb33a1ab47c60 6414 ruby-loofah_2.2.1-1_source.buildinfo
Files:
30c6bfb40a4bd9ee43800e25eb404646 1825 ruby optional ruby-loofah_2.2.1-1.dsc
ee30a7cdb6bdb2c82df047e8bffe5f56 61655 ruby optional ruby-loofah_2.2.1.orig.tar.gz
029625137bcfaa4b467d2af70299be72 3220 ruby optional ruby-loofah_2.2.1-1.debian.tar.xz
89639890971a304e17eea7e46a56ec7b 6414 ruby optional ruby-loofah_2.2.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEnM1rMZ2/jkCrGr0aia+CtznNIXoFAlqzqh4ACgkQia+CtznN
IXoWvAf/VdBsjA/KmXfy2K43JXiVYz4utYgTE5mIRqX3ntWl8EOxWa++rxsUrFsF
RVfFD5Aczvly/Wf74/+AA15aEfIem0SW9as/7Y+b6RpQGCyqBPJdr61gpyFPf5b7
g7E8UU+pdVgOSaBf3b6EZvAHzEdnG/9U8+vjINiQO+NfDxZD8zu+7nPnu2KLrVKL
+Mf1RGtzOIm04kct98/InAcGlPqHLfm6AZszqs7SVSCoanrjCSvP772aC4VD2N3U
JidD1LPGcmPrnM3TWepOfArjK2aBw1q4caTWFJdqGqHq1jNiad5haN3iiURweUOE
ZwMaGIX+xHZ+OT6Xz0smWARWVm0xUQ==
=AIAP
-----END PGP SIGNATURE-----
Reply sent
to Georg Faerber <georg@riseup.net>:
You have taken responsibility.
(Mon, 16 Apr 2018 19:06:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 16 Apr 2018 19:06:05 GMT) (full text, mbox, link).
Message #17 received at 893596-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-loofah
Source-Version: 2.0.3-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
ruby-loofah, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Georg Faerber <georg@riseup.net> (supplier of updated ruby-loofah package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 24 Mar 2018 16:13:55 +0100
Source: ruby-loofah
Binary: ruby-loofah
Architecture: source all
Version: 2.0.3-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Georg Faerber <georg@riseup.net>
Description:
ruby-loofah - manipulation and transformation of HTML/XML documents and fragmen
Closes: 893596
Changes:
ruby-loofah (2.0.3-2+deb9u1) stretch-security; urgency=high
.
* Introduce upstream patch to address a potential cross-site scripting
vulnerability caused by libxml2 >= 2.9.2. (Closes: #893596)
(CVE-2018-8048)
Checksums-Sha1:
98d28ab54b120ae89a3a1fb4a03c5abd4963247d 1844 ruby-loofah_2.0.3-2+deb9u1.dsc
58155e135a1d93999d0b1f101c02df3a6a4c9d71 57244 ruby-loofah_2.0.3.orig.tar.gz
c57d866e4c4a8a71eb1a45d35cc5b7e5d942b472 4612 ruby-loofah_2.0.3-2+deb9u1.debian.tar.xz
3ec0c9220bc93030c30e52c42fa8ebdea82b1902 22158 ruby-loofah_2.0.3-2+deb9u1_all.deb
c34c5a77ad52246adbf06092a4b482aed1cda041 6692 ruby-loofah_2.0.3-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
de55b9e05826df5a9128899a6d3247d74d25e8aff88d1ab7e68a9ae35b6cd8f5 1844 ruby-loofah_2.0.3-2+deb9u1.dsc
a7faa04cc845ce9f24e510e5091c1a52e982b8c352bfa67c6e4a2fedc3e40d49 57244 ruby-loofah_2.0.3.orig.tar.gz
855353bba6b437a25f3734c1cce5abc843076dd0c1d4735f7985398abf7f32b8 4612 ruby-loofah_2.0.3-2+deb9u1.debian.tar.xz
3cc19e557513771f7c89626546464be1811b14d1254852c39a56c8cfbf6da9d1 22158 ruby-loofah_2.0.3-2+deb9u1_all.deb
5bf02bd1dafb4812b6a42d9ce685decd011e77af1ea20da90cfa0ff37af6469e 6692 ruby-loofah_2.0.3-2+deb9u1_amd64.buildinfo
Files:
694be3c00c5e33ad7b80c8287758a529 1844 ruby optional ruby-loofah_2.0.3-2+deb9u1.dsc
2c09ce72bfa2905f2d7a48dece94405a 57244 ruby optional ruby-loofah_2.0.3.orig.tar.gz
20d4b84f6bae939686955ef754b8a179 4612 ruby optional ruby-loofah_2.0.3-2+deb9u1.debian.tar.xz
3e5f32c08b90e4a6d588009187944bd3 22158 ruby optional ruby-loofah_2.0.3-2+deb9u1_all.deb
dcf6825fdfc506983eec11dccb0ebac2 6692 ruby optional ruby-loofah_2.0.3-2+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEnM1rMZ2/jkCrGr0aia+CtznNIXoFAlrOdeMACgkQia+CtznN
IXqXdwgAoHt09FTRggY3nnZDmbLyHz4SLuWUdfutUjiE8RO2NhoWn6deCi3bAZ69
i48J8NAgrvh6dHKNKKsyQ2xOoSxedAZm5GKfzm93KOY42ouQLiTwpcMcRf1EW9Dp
cHDNJcmOmCOGhaCPiIpaAUoJWO8w8/ddQDICW+izWuldTIw1fUYtlAWQm0FrbZ6h
g6rXAP54jfQgl0zIfSCM9GHALz51oiWQ/gWtNRC72MfZ8OvRY3ek8DmEez6pbaZp
BXdpPgLQheUeusZIfQMDJhgvkHN9078vR0npYhlo+t5Betl40kHcGCWCiv03TZg6
ixgQv7RwhHDY26ARGcCrcAT5Akq8bw==
=GPRm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 15 May 2018 07:34:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:12:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon