Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2015-7578 CVE-2015-7579 CVE-2015-7580

Related Vulnerabilities: CVE-2015-7578   CVE-2015-7579   CVE-2015-7580  

Source

Debian Bug report logs - #812814
CVE-2015-7578 CVE-2015-7579 CVE-2015-7580

version graph

Package: ruby-rails-html-sanitizer; Maintainer for ruby-rails-html-sanitizer is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for ruby-rails-html-sanitizer is src:ruby-rails-html-sanitizer (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 26 Jan 2016 20:57:01 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version ruby-rails-html-sanitizer/1.0.2-1

Fixed in version ruby-rails-html-sanitizer/1.0.3-1

Done: Antonio Terceiro <terceiro@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#812814; Package ruby-rails-html-sanitizer. (Tue, 26 Jan 2016 20:57:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 26 Jan 2016 20:57:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2015-7578 CVE-2015-7579 CVE-2015-7580
Date: Tue, 26 Jan 2016 21:54:27 +0100
Package: ruby-rails-html-sanitizer
Severity: grave
Tags: security

Please see
https://marc.info/?l=oss-security&m=145375052028672&w=2
https://marc.info/?l=oss-security&m=145375059928688&w=2
https://marc.info/?l=oss-security&m=145375090928793&w=2

Cheers,
        Moritz

Marked as found in versions ruby-rails-html-sanitizer/1.0.2-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 26 Jan 2016 21:12:04 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 26 Jan 2016 21:12:05 GMT) (full text, mbox, link).

Reply sent to Antonio Terceiro <terceiro@debian.org>:
You have taken responsibility. (Tue, 26 Jan 2016 22:45:19 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Tue, 26 Jan 2016 22:45:19 GMT) (full text, mbox, link).

Message #14 received at 812814-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>
To: 812814-close@bugs.debian.org
Subject: Bug#812814: fixed in ruby-rails-html-sanitizer 1.0.3-1
Date: Tue, 26 Jan 2016 22:43:15 +0000
Source: ruby-rails-html-sanitizer
Source-Version: 1.0.3-1

We believe that the bug you reported is fixed in the latest version of
ruby-rails-html-sanitizer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 812814@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby-rails-html-sanitizer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Jan 2016 19:36:51 -0200
Source: ruby-rails-html-sanitizer
Binary: ruby-rails-html-sanitizer
Architecture: source
Version: 1.0.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
 ruby-rails-html-sanitizer - HTML sanitization for Rails applications
Closes: 812814
Changes:
 ruby-rails-html-sanitizer (1.0.3-1) unstable; urgency=high
 .
   * New upstream release. Contains fixes for several XSS vulnerabilities:
     CVE-2015-7578 CVE-2015-7579 CVE-2015-7580 (Closes: #812814)
   * debian/ruby-tests.rake: re-enable test that was disabled
   * 0001-Skip-some-tests-under-Debian.patch: skip tests where the sanitized
     HTML is XSS-free but does not match the exact content expected by the
     upstream test suite. I suspect that is due to Nokogiri not using its own
     patched version of libxml2 in Debian, but can't be sure of that yet.
     Also, the same tests would already fail on 1.0.2 if enabled.
Checksums-Sha1:
 f4c7470cc9b1c3d1d824d51e5bdaf954dc3db0b5 2254 ruby-rails-html-sanitizer_1.0.3-1.dsc
 19cf3baa8925c5314d84c207dcc473a409fb3bae 12012 ruby-rails-html-sanitizer_1.0.3.orig.tar.gz
 5620823ad032f94399a4cdfa38ab2721faacbcda 3244 ruby-rails-html-sanitizer_1.0.3-1.debian.tar.xz
Checksums-Sha256:
 2ef86a8ee84d0ccf7b19d524d3fea04693499b2d1b314af26a3f651954e522ee 2254 ruby-rails-html-sanitizer_1.0.3-1.dsc
 5727cbb975fcf8ccf18a7dee5e3db45dfe15a416f5468009bd33252c3bf490f7 12012 ruby-rails-html-sanitizer_1.0.3.orig.tar.gz
 4ab79e55188505e1ae79649678a4f508d7ab2f41c96e0c2c0df6526ef509635d 3244 ruby-rails-html-sanitizer_1.0.3-1.debian.tar.xz
Files:
 d9e1a8212febb62d718d0b7910f02b89 2254 ruby optional ruby-rails-html-sanitizer_1.0.3-1.dsc
 39f76abfdc72aeafcc3593347f1bf571 12012 ruby optional ruby-rails-html-sanitizer_1.0.3.orig.tar.gz
 ad1db8aa4316d19d22e51d1ac723ebf2 3244 ruby optional ruby-rails-html-sanitizer_1.0.3-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWp+ytAAoJEPwNsbvNRgvejXAQAJcTNL58wzHmzcdPkzcx0oNl
DW1AvH/qgJ5OquHBHZOwX71gYMsQKUybTgKrgJOl59tNIcwTLfDFis2m1RgNoLkf
8Cnypy4XzO75bOE2s4Fjchu1kHfAVFXah4N88dtytAfT4Fk/tLqt1NRgt17+KZGP
KZJLZJAb9aiv/Dtgek4ujPgYEQ/ZIifgsiG75WjP2Jc76W4Qh8bqHdvASCR2ta5h
Ze4QQcllfN+3yDT4VWzukC+xS4uA3IRchDWNpzXqPKtSPnTow9zQxHrMRpOWPbtY
rERgumkX/ra32FDNJUyWBJkl3Ow2MYb31L0qmTdnUX+4U8osCPCZTAX2+WPyO/IW
/2UTO/tIO3+xBk8GZa5YLX+mPsWLHYUdEQo/B3R2ByTqfp0z41kiSLfD1JwDhaGw
RHXKYDPDKJLcZZxDPzjMFpbxZqD8XxmUQJt1Jy0Cky57+YKP9PoZjZYyxA05YKJO
C7vog7Erg7Uj/0s9hYjohy37yjSo/7zOpFE5llG4+MZRY16+x//Nqg8pxJeMRMn1
atuVMCPzsimNqq7yYrRRqiRyBlJq2/QsH9HwyxJ1mQPYdV6VB/AI2vqPxT2b5V+/
qyiA2NnmN+plLC+2GAS2tqj+Ff3Vs+sXiwmgOcRsuTQr/X/9hTfAPjSw494BckpX
0L+memNUc/CmEYjZaZnp
=BQFA
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 26 Feb 2016 07:26:41 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:45:07 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started