Accepted ruby-rails-html-sanitizer 1.0.4-1+deb10u2 (source) into oldoldstable
- To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
- Subject: Accepted ruby-rails-html-sanitizer 1.0.4-1+deb10u2 (source) into oldoldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Wed, 13 Sep 2023 12:50:19 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: ruby-rails-html-sanitizer_1.0.4-1+deb10u2_source.changes
- Debian-source: ruby-rails-html-sanitizer
- Debian-suite: oldoldstable
- Debian-version: 1.0.4-1+deb10u2
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=zJ/YRFvHk0qG3dM0WHwkLb9FWanBLG54fRp5iL0aBzQ=; b=PnGe6doEBuSiZKFjIHDJAdExbP A0uD1iGLNoJeyye+YXwoflFi5SNEf2Uqev4S4MmO1LNcq5DggruPgIXf1k+98M233LBFmQoCJQkvm Kd4Z+PHgJEL+BQ9mMnE9n4QpcbZAbfRjKOEPHYOryApSLthGWiduRKVM2M7lg7ekqJXgC4EljGA8Y l/icq6mm1nPnLIFhZi4JK1tYraInX0fUTeT3hI8mwi4z7MxFGbJCqnOW++5iHusfUQylZChlSXmff TnO+O8blNmvH+RUTF+CxyW9CN0UiLLhYjYMbPeV7Jxjp1d6AeqjRN4eWRxLIzCGK1F551KmKyGKB4 9W5Gxzfg==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1qgPJz-00FohP-1s@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Sep 2023 11:43:01 +0200
Source: ruby-rails-html-sanitizer
Architecture: source
Version: 1.0.4-1+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Closes: 1027153
Changes:
ruby-rails-html-sanitizer (1.0.4-1+deb10u2) buster-security; urgency=high
.
* Non-maintainer upload by the LTS Security Team. (Closes: #1027153)
* CVE-2022-23517: Certain configurations use an inefficient regular
expression that is susceptible to excessive backtracking when
attempting to sanitize certain SVG attributes. This may lead to a
denial of service through CPU resource consumption.
Fix requires ruby-loofah >= 2.2.3-1+deb10u2.
* CVE-2022-23518: cross-site scripting via data URIs when used in
combination with Loofah.
Fix requires ruby-loofah >= 2.2.3-1+deb10u2.
* CVE-2022-23519: XSS vulnerability with certain configurations of
Rails::Html::Sanitizer may allow an attacker to inject content if the
application developer has overridden the sanitizer's allowed tags in
either of the following ways: allow both "math" and "style" elements,
or allow both "svg" and "style" elements.
Same fix as CVE-2022-23520.
* CVE-2022-23520: XSS vulnerability with certain configurations of
Rails::Html::Sanitizer due to an incomplete fix of
CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject
content if the application developer has overridden the sanitizer's
allowed tags to allow both "select" and "style" elements. Code is only
impacted if allowed tags are being overridden.
Fix requires ruby-loofah >= 2.2.3-1+deb10u2.
* Drop patch for CVE 2022-32209, replaced by the one for
CVE-2022-23519/23520.
Checksums-Sha1:
dc0b50a213f03870b5945f0c6b2d02000fa4c443 2315 ruby-rails-html-sanitizer_1.0.4-1+deb10u2.dsc
bc5b5d808c8c432f9e7e4b444a880521f09e5a8d 5804 ruby-rails-html-sanitizer_1.0.4-1+deb10u2.debian.tar.xz
a2f0d15b5132942650333bb153b85d0588e97a1e 10692 ruby-rails-html-sanitizer_1.0.4-1+deb10u2_all.buildinfo
Checksums-Sha256:
fd733490e6c65e2a5dc9a6367a25f896952c6bf754aa5c910f0efa8ac912a250 2315 ruby-rails-html-sanitizer_1.0.4-1+deb10u2.dsc
fb76ce27e14eefccdec444e9161753c559e5f91db4c9c1cdc865f83b0db40223 5804 ruby-rails-html-sanitizer_1.0.4-1+deb10u2.debian.tar.xz
ed06a6bd714a44f6c4fcf7fa437be0d54ac711f6fdd1e53e4fad6e21e344e510 10692 ruby-rails-html-sanitizer_1.0.4-1+deb10u2_all.buildinfo
Files:
05219782833801177faa588a178b494f 2315 ruby optional ruby-rails-html-sanitizer_1.0.4-1+deb10u2.dsc
7ec55154551538dd28e82fdb21c1b77a 5804 ruby optional ruby-rails-html-sanitizer_1.0.4-1+deb10u2.debian.tar.xz
7e4be50670e644040e34fbe67add48af 10692 ruby optional ruby-rails-html-sanitizer_1.0.4-1+deb10u2_all.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmUBqtkACgkQDTl9HeUl
XjChKhAAwYMzC9QEP0UlKKyUIxiQe0nX5yYki1pxa18HKu/1aies7YXVfioYgl36
XJB/3gikzinPv8n1fZXrnguCMWdCizVhkwc+m9JAoD8HHtxfYi7TqWqoCmtfrVCj
Zzdn7wZwaRMIju+5UL1Cz2QuPQS+uq/Cgl8lXdQQWeCRdfJOGpSmdZz3Dk1DUk6N
jMorVzs0PhJZEJEzHZICjEcsCvGbIjv75cPjqdFlQfy6MQFtIddeh8LIyi+kttbS
cInT4uLGqveoWxY+qCdUT27D/J/GsBpnb7IEMw7Ib5+v+D+99w5rYZod5GaqwXkp
m6+NCOrNT2ec17ok7GpUwcWQ3gBWeDdjmV22CXdh3z4mgkULghQFC5OAV4JIxO8t
GFc52yLmaKP/Hl8pgrdhfXiXftDj5veYsxrOa2quGWwlHwVfr1YtD3nIaBaEXbKl
MEWj8vPe1uGQE2JqyEZ9Y1Ju6bLMsCGNNcIg6BntnrqwqPjaKI55guLf3InzNaK3
XxgO9Lf6iCH5vWCXWXDP07Ayc3H1keWrbM8YpFzOOKuvR9QwjSbdESYSMO6yhu4/
vPLrGgeswnP74p3O8E2MI1AqCCKDKQIZm980e48BHbE5LcNk5VIcT0CfXY7vCiO5
eqrDyHDmKytlMP9EZLis9aDdPWvx+ymJXcAvaNjjFuyGSBZBNbE=
=lP/2
-----END PGP SIGNATURE-----