CVE-2015-7578 CVE-2015-7579 CVE-2015-7580

Related Vulnerabilities: CVE-2015-7578   CVE-2015-7579   CVE-2015-7580  

Debian Bug report logs - #812814
CVE-2015-7578 CVE-2015-7579 CVE-2015-7580

version graph

Reported by: Moritz Muehlenhoff <>

Date: Tue, 26 Jan 2016 20:57:01 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version ruby-rails-html-sanitizer/1.0.2-1

Fixed in version ruby-rails-html-sanitizer/1.0.3-1

Done: Antonio Terceiro <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to,,, Debian Ruby Extras Maintainers <>:
Bug#812814; Package ruby-rails-html-sanitizer. (Tue, 26 Jan 2016 20:57:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <>:
New Bug report received and forwarded. Copy sent to,, Debian Ruby Extras Maintainers <>. (Tue, 26 Jan 2016 20:57:06 GMT) (full text, mbox, link).

Message #5 received at (full text, mbox, reply):

From: Moritz Muehlenhoff <>
To: Debian Bug Tracking System <>
Subject: CVE-2015-7578 CVE-2015-7579 CVE-2015-7580
Date: Tue, 26 Jan 2016 21:54:27 +0100
Package: ruby-rails-html-sanitizer
Severity: grave
Tags: security

Please see


Marked as found in versions ruby-rails-html-sanitizer/1.0.2-1. Request was from Salvatore Bonaccorso <> to (Tue, 26 Jan 2016 21:12:04 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream and upstream. Request was from Salvatore Bonaccorso <> to (Tue, 26 Jan 2016 21:12:05 GMT) (full text, mbox, link).

Reply sent to Antonio Terceiro <>:
You have taken responsibility. (Tue, 26 Jan 2016 22:45:19 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <>:
Bug acknowledged by developer. (Tue, 26 Jan 2016 22:45:19 GMT) (full text, mbox, link).

Message #14 received at (full text, mbox, reply):

From: Antonio Terceiro <>
Subject: Bug#812814: fixed in ruby-rails-html-sanitizer 1.0.3-1
Date: Tue, 26 Jan 2016 22:43:15 +0000
Source: ruby-rails-html-sanitizer
Source-Version: 1.0.3-1

We believe that the bug you reported is fixed in the latest version of
ruby-rails-html-sanitizer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Antonio Terceiro <> (supplier of updated ruby-rails-html-sanitizer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA256

Format: 1.8
Date: Tue, 26 Jan 2016 19:36:51 -0200
Source: ruby-rails-html-sanitizer
Binary: ruby-rails-html-sanitizer
Architecture: source
Version: 1.0.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <>
Changed-By: Antonio Terceiro <>
 ruby-rails-html-sanitizer - HTML sanitization for Rails applications
Closes: 812814
 ruby-rails-html-sanitizer (1.0.3-1) unstable; urgency=high
   * New upstream release. Contains fixes for several XSS vulnerabilities:
     CVE-2015-7578 CVE-2015-7579 CVE-2015-7580 (Closes: #812814)
   * debian/ruby-tests.rake: re-enable test that was disabled
   * 0001-Skip-some-tests-under-Debian.patch: skip tests where the sanitized
     HTML is XSS-free but does not match the exact content expected by the
     upstream test suite. I suspect that is due to Nokogiri not using its own
     patched version of libxml2 in Debian, but can't be sure of that yet.
     Also, the same tests would already fail on 1.0.2 if enabled.
 f4c7470cc9b1c3d1d824d51e5bdaf954dc3db0b5 2254 ruby-rails-html-sanitizer_1.0.3-1.dsc
 19cf3baa8925c5314d84c207dcc473a409fb3bae 12012 ruby-rails-html-sanitizer_1.0.3.orig.tar.gz
 5620823ad032f94399a4cdfa38ab2721faacbcda 3244 ruby-rails-html-sanitizer_1.0.3-1.debian.tar.xz
 2ef86a8ee84d0ccf7b19d524d3fea04693499b2d1b314af26a3f651954e522ee 2254 ruby-rails-html-sanitizer_1.0.3-1.dsc
 5727cbb975fcf8ccf18a7dee5e3db45dfe15a416f5468009bd33252c3bf490f7 12012 ruby-rails-html-sanitizer_1.0.3.orig.tar.gz
 4ab79e55188505e1ae79649678a4f508d7ab2f41c96e0c2c0df6526ef509635d 3244 ruby-rails-html-sanitizer_1.0.3-1.debian.tar.xz
 d9e1a8212febb62d718d0b7910f02b89 2254 ruby optional ruby-rails-html-sanitizer_1.0.3-1.dsc
 39f76abfdc72aeafcc3593347f1bf571 12012 ruby optional ruby-rails-html-sanitizer_1.0.3.orig.tar.gz
 ad1db8aa4316d19d22e51d1ac723ebf2 3244 ruby optional ruby-rails-html-sanitizer_1.0.3-1.debian.tar.xz

Version: GnuPG v1


Bug archived. Request was from Debbugs Internal Request <> to (Fri, 26 Feb 2016 07:26:41 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Wed Jun 19 17:45:07 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.