Summary: | <dev-ruby/redcloth-4.2.9-r3: XSS vulnerability (CVE-2012-6684) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1179870 | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-01-08 10:36:11 UTC
CVE-2012-6684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6684): Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI. The patch mentioned in the linked bugs is actually for an ancient version of redcloth that is no longer in the tree. Looking at the dependencies and the upstream developer comment I think we should mask this for removal. All packages that depend on this either do so for optional tests or to generate documentation. Affected packages: dev-ruby/coderay dev-ruby/railties:3.2 dev-ruby/sqlite3 dev-ruby/stringex dev-ruby/test-unit www-apps/jekyll I have now applied a patch from debian that is still pending to be applied upstream. Arches, please test and mark stable: =dev-ruby/redcloth-4.2.9-r3 amd64 stable x86 stable Stable for PPC64. Stable for HPPA. Stable on alpha (took dev-libs/nspr-4.10.8 along as a dep). Gah, wrong bug. disregard #8 Stable on alpha (for realz, this time). ia64 stable arm stable ppc stable sparc stable. Maintainer(s), please cleanup. Security, please vote. 23 Jul 2015; Manuel Rüger <mrueg@gentoo.org> -redcloth-4.2.9-r1.ebuild: Remove vulnerable. Maintainer(s), Thank you for cleanup! No GLSA's for Cross-Site Scripting (XSS) as per policy. Closing noglsa |