Debian Bug report logs -
#912398
ruby-loofah: CVE-2018-16468
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#912398
; Package src:ruby-loofah
.
(Wed, 31 Oct 2018 06:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Wed, 31 Oct 2018 06:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-loofah
Version: 2.2.2-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/flavorjones/loofah/issues/154
Hi,
The following vulnerability was published for ruby-loofah.
CVE-2018-16468[0]:
| In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may
| occur in sanitized output when a crafted SVG element is republished.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16468
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16468
[1] https://github.com/flavorjones/loofah/issues/154
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Mon, 05 Nov 2018 17:15:11 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from jmm@inutil.org (Moritz Muehlenhoff)
to control@bugs.debian.org
.
(Thu, 13 Dec 2018 11:51:02 GMT) (full text, mbox, link).
Reply sent
to Hideki Yamane <henrich@debian.org>
:
You have taken responsibility.
(Sun, 30 Dec 2018 07:09:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 30 Dec 2018 07:09:07 GMT) (full text, mbox, link).
Message #14 received at 912398-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-loofah
Source-Version: 2.2.3-1
We believe that the bug you reported is fixed in the latest version of
ruby-loofah, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 912398@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hideki Yamane <henrich@debian.org> (supplier of updated ruby-loofah package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 30 Dec 2018 15:46:23 +0900
Source: ruby-loofah
Binary: ruby-loofah
Architecture: source
Version: 2.2.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Hideki Yamane <henrich@debian.org>
Description:
ruby-loofah - manipulation and transformation of HTML/XML documents and fragmen
Closes: 912398
Changes:
ruby-loofah (2.2.3-1) unstable; urgency=medium
.
* Team upload
.
* New upstream version 2.2.3 (Closes: #912398) (CVE-2018-16468)
* debian/watch
- update to use gemwatch.debian.net
* debian/control
- set Standards-Version: 4.3.0
- use dh42
* debian/compat
- drop it
Checksums-Sha1:
bfd1ab97e4953db2ec41e59a32e369f151674729 2194 ruby-loofah_2.2.3-1.dsc
d4fd14de1fe1674639b21740e716decb00c2bae2 63626 ruby-loofah_2.2.3.orig.tar.gz
02dd5d67af5803bee4e9653473a08760d86de2c0 3320 ruby-loofah_2.2.3-1.debian.tar.xz
a2d74f1617c0c576893de71a2457efb5d767b06e 9149 ruby-loofah_2.2.3-1_amd64.buildinfo
Checksums-Sha256:
d0ca4e240151ac9bc929b80bf85616bdc78459b87b79183e91b86e04ab796695 2194 ruby-loofah_2.2.3-1.dsc
522b20f21123e5275e620e6590f549acca442da34c647a1509fafb3248547a50 63626 ruby-loofah_2.2.3.orig.tar.gz
92dad8a6a76eddc984a58e73e61f0d286183970a19774b8dd7dd1ea4609a2eee 3320 ruby-loofah_2.2.3-1.debian.tar.xz
57d01d085ae1f32cda5dab184404412d3d75396e15c0ac1dc2fe208aa627317e 9149 ruby-loofah_2.2.3-1_amd64.buildinfo
Files:
92a61d4d1f24b3e543810c8b1f546a85 2194 ruby optional ruby-loofah_2.2.3-1.dsc
57080866881ec74e76ae01ffa8bfec2e 63626 ruby optional ruby-loofah_2.2.3.orig.tar.gz
ca0a5aa92bcbbbe455cec3e2f7a0ef7e 3320 ruby optional ruby-loofah_2.2.3-1.debian.tar.xz
433f32bf142b1489b1716402bc683f6a 9149 ruby optional ruby-loofah_2.2.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWOEiL5aWyIWjzRBMXTKNCCqqsUAFAlwoajoACgkQXTKNCCqq
sUAbKA/8CNtg3L2XspQcRDTAYJOnClU6pE0Yfbe5w8zYeLnAWZLoBRea3n4QilV2
9tRfJH0IlcOVvLXUlMHUygjuGmcJrz1NCSF+RDz2y79tTnbcA/Y67c3nbjfxZb0h
8V3vDZXNTKEjnsDOvPWA3MQsB0oJyWSF0jmbOqh+93pjWR02WRVWSXhyOTZav5hz
mZ9xwkmiByTkYajRK5LyPZvdLxipfkB2OJZvWDjHtOfaKUVzmrv5Er7Ypo7aK5gJ
cj9TxqlHWgo2gbb43K75m1vDPNhWk7GeQJCdqXPUAoQOmWHGdiQuX/qHVhcYM6Dj
IKgSXZgQ4eQT1yPskblzwLN/2gmlFjmpccZfbkCQRxvCrgX5WZFmlyru69R2IwER
AuCeqOvtUkXwO1WedMcpMWaGhtHb1bL7tAFzECpj6jZVe4Vi2DgAP2X8capY+Rs9
4Zj+EmCeFDEKttgSPS0xAUeLyQU2A/XOTHZv6k4CVPa9w8DA8xkmadoU4iMuEo9b
H1Y16gpv3D5JkOGJPbYXwyZPfkF0jTGrTVCxoUZ9aUDS2n2QFWcUrpLLLRdunMab
2PHCbj/8l4sIByNjiGqSnkgALkRR168e3VUbOKBhETlBX9ADCDLzMCz0YRrikfhI
Lo7TaPsI+kumXgThemgHsQRrNb+mhAnjiLwHmg/mjUiU1hjRG0U=
=5uwH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 27 Jan 2019 07:29:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:52:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.