CVE-2018-8048 - Loofah XSS Vulnerability This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team. Severity Medium (6.7) Description Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. Affected Versions Loofah < 2.2.1, but only: when running on MRI or RBX, in combination with libxml2 >= 2.9.2. Please note: JRuby users are not affected. Mitigation Upgrade to Loofah 2.2.1.
Loofah 2.2.1 has been added to the tree.
Added amd64 for a stable bug and arm for keywording (bug 631974).
An automated check of this bug failed - repoman reported dependency errors (51 lines truncated): > dependency.bad dev-ruby/loofah/loofah-2.2.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['=dev-ruby/crass-1.0*[ruby_targets_ruby22]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby22]', '=dev-ruby/crass-1.0*[ruby_targets_ruby23]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby23]'] > dependency.bad dev-ruby/loofah/loofah-2.2.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['=dev-ruby/crass-1.0*[ruby_targets_ruby22]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby22]', '=dev-ruby/crass-1.0*[ruby_targets_ruby23]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby23]'] > dependency.badindev dev-ruby/loofah/loofah-2.2.1.ebuild: DEPEND: arm(default/linux/arm/13.0/armv4) ['=dev-ruby/crass-1.0*[ruby_targets_ruby22]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby22]', '=dev-ruby/crass-1.0*[ruby_targets_ruby23]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby23]']
amd64 stable
vulnerable versions have been removed.
GLSA Vote: No