Summary: | <dev-ruby/rdoc-3.12.1: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template (CVE-2013-0256) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=907820 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-02-09 09:30:00 UTC
=dev-ruby/rdoc-3.12.1 is in the tree with fixes for this. Note that we remove the bundled versions of rdoc in dev-lang/ruby* and only use this gem. (In reply to comment #1) > =dev-ruby/rdoc-3.12.1 is in the tree with fixes for this. Note that we > remove the bundled versions of rdoc in dev-lang/ruby* and only use this gem. Thanks, Hans. Arches, please test and mark stable. amd64 stable x86 stable ia64 stable hppa stable arm stable ppc stable ppc64 stable sparc stable s390 stable alpha stable sh stable CVE-2013-0256 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0256): darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. Ready for vote, I vote NO. GLSA vote: no, XSS. Closing noglsa. |