Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

yard: CVE-2024-27285

Related Vulnerabilities: CVE-2024-27285  

Source

Debian Bug report logs - #1065118
yard: CVE-2024-27285

version graph

Package: src:yard; Maintainer for src:yard is Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 29 Feb 2024 21:57:01 UTC

Severity: important

Tags: security, upstream

Found in versions yard/0.9.34-1, yard/0.9.24-1, yard/0.9.28-2

Fixed in versions yard/0.9.28-2+deb12u1, yard/0.9.35-1

Done: Antonio Terceiro <terceiro@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#1065118; Package src:yard. (Thu, 29 Feb 2024 21:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Thu, 29 Feb 2024 21:57:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: yard: CVE-2024-27285
Date: Thu, 29 Feb 2024 22:55:41 +0100
Source: yard
Version: 0.9.34-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 0.9.28-2
Control: found -1 0.9.24-1

Hi,

The following vulnerability was published for yard.

CVE-2024-27285[0]:
| YARD is a Ruby Documentation tool. The "frames.html" file within the
| Yard Doc's generated documentation is vulnerable to Cross-Site
| Scripting (XSS) attacks due to inadequate sanitization of user input
| within the JavaScript segment of the "frames.erb" template file.
| This vulnerability is fixed in 0.9.35.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-27285
    https://www.cve.org/CVERecord?id=CVE-2024-27285
[1] https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
[2] https://github.com/lsegal/yard/commit/d78fc393d603c4fc35975969296ed381146a29d4

Regards,
Salvatore

Marked as found in versions yard/0.9.28-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Thu, 29 Feb 2024 21:57:03 GMT) (full text, mbox, link).

Marked as found in versions yard/0.9.24-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Thu, 29 Feb 2024 21:57:04 GMT) (full text, mbox, link).

Marked as fixed in versions yard/0.9.28-2+deb12u1. Request was from Antonio Terceiro <terceiro@debian.org> to control@bugs.debian.org. (Thu, 29 Feb 2024 23:03:07 GMT) (full text, mbox, link).

Reply sent to Antonio Terceiro <terceiro@debian.org>:
You have taken responsibility. (Thu, 29 Feb 2024 23:51:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 29 Feb 2024 23:51:03 GMT) (full text, mbox, link).

Message #16 received at 1065118-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1065118-close@bugs.debian.org
Subject: Bug#1065118: fixed in yard 0.9.35-1
Date: Thu, 29 Feb 2024 23:47:37 +0000
[Message part 1 (text/plain, inline)]
Source: yard
Source-Version: 0.9.35-1
Done: Antonio Terceiro <terceiro@debian.org>

We believe that the bug you reported is fixed in the latest version of
yard, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1065118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated yard package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 28 Feb 2024 19:04:52 -0300
Source: yard
Architecture: source
Version: 0.9.35-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Closes: 1065118
Changes:
 yard (0.9.35-1) unstable; urgency=medium
 .
   * New upstream version 0.9.35
     - Contains fix for XSS in generated frames.html of default YARD template
       [CVE-2024-27285] (Closes: #1065118)
Checksums-Sha1:
 cb46c840cf4418085db79acb81652f9f1d935c0c 2186 yard_0.9.35-1.dsc
 723eb5515defd809fae82586b0d261e40dfc7285 938495 yard_0.9.35.orig.tar.gz
 4181f739ff1c6c1e3edb3abb2671074584804a94 81364 yard_0.9.35-1.debian.tar.xz
 a65073dfc26d33155d74839f15fe7e60c09b7085 13747 yard_0.9.35-1_source.buildinfo
Checksums-Sha256:
 b104010ef49bf88d473b70765e45a6bea7e2b145d3e06803996763bb4d8f2289 2186 yard_0.9.35-1.dsc
 cf2a885de29724aa623195726c95392e31e7be4997341f8174c39d1ec66b5ff0 938495 yard_0.9.35.orig.tar.gz
 736268fa3a170d6710ac10ec06d481e426ea3f17e16bb95cec783440d29d0421 81364 yard_0.9.35-1.debian.tar.xz
 01ef8c5567b07ad717d142c3bf45757d345733d01f5a900888d11abb351c45e6 13747 yard_0.9.35-1_source.buildinfo
Files:
 465622902b2512ca0a93c2d1334ce2e6 2186 ruby optional yard_0.9.35-1.dsc
 cff99adf3104d6a15b13d865bffb6caa 938495 ruby optional yard_0.9.35.orig.tar.gz
 34deab66d42652c79b5fef1d863fd200 81364 ruby optional yard_0.9.35-1.debian.tar.xz
 20d647f66876490ff5cd520a9cf6870a 13747 ruby optional yard_0.9.35-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmXhDNMACgkQ/A2xu81G
C97FUhAAytP7VQ6o5Hq2lDAq6Psodl1SfRY16wWntroGelHNk+1G71gr9OYmSzmZ
W3Uze2fhusCNF2NvfmqBoq8VQvpUXDUSB9xjyaYEtq/8lMpNWDHKjl0QTVzjckXX
4k5OMdT1tl9tJzRxPUWpbFN7OBv1HKlV5FKHYJ7oPfweUW5A9OxNESUaRrQbeVyi
pCOm5MFYjgt/0j8uB+Ur5NXVd2tT45PKpUqkPxZvmlphFUgHK/E5VyzLD/3zzaSc
iAlExXS69BUonVLPhkz/QW07F6skO71NPY4MVXg7Zia8mT069zfw4kLNJEp/OIgl
mbLXerV+d6ydm3YGQmgeO+exuhOHNnICCz2f2/6G/KG1WDS5pqX+oYHTX+EGJiA6
0D77Y1Y4Tz9nMEXXz91847pLlZnsckrwuhQ0vW6/M47y0azsqWr9ZH46gaAuh/+f
7SQz5WmAyBpnoC5jG/NBkhw2vXJaq7JnoG6/QrWHBYpwoygQCs7lcawLSaDLXCyZ
8xTt2SACVhu7cq/QPLCREzBra+e2l6nFXUBVRbFpSisqGw3AY6qm1e6Gz47rt2qa
Dpx8gNJ6g5nrz914yG5fCvd6chY9p6BlELmVoJNB5OI4C3OnzT67VlVgo7LZozsx
BPogJYPAz0FRXYS0PM1nIzzuEUYwKN5CBFDAfw9irRfaxm0gvGA=
=z8NQ
-----END PGP SIGNATURE-----


[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Mar 1 18:18:01 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started