Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 693028 (CVE-2012-6708, CVE-2015-9251)

Summary: <dev-ruby/rdoc{5.1.0-r1,6.1.2,6.2.0}: Multiple jQuery vulnerabilities
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 688976, 693030, 693358    
Bug Blocks:    

Description Hans de Graaff gentoo-dev 2019-08-28 17:42:24 UTC
There are multiple vulnerabilities about Cross-Site Scripting (XSS) in jQuery shipped with RDoc which bundled in Ruby. All Ruby users are recommended to update Ruby to the latest release which includes the fixed version of RDoc.
Details

The following vulnerabilities have been reported.

    CVE-2012-6708
    CVE-2015-9251

It is strongly recommended for all Ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible. You also have to re-generate existing RDoc documentations to completely mitigate the vulnerabilities.
Comment 1 Hans de Graaff gentoo-dev 2019-08-28 17:45:30 UTC
We unbundle rdoc from dev-lang/ruby, so the upstream ruby releases are not relevant for this security bug.

Fixed versions in the tree:

dev-ruby/rdoc-5.1.0-r1 (port from unrelease 5.x version upstream)
dev-ruby/rdoc-6.1.2
dev-ruby/rdoc-6.2.0

The ruby releases other than ruby 2.4.7 also contain additional changes that need to be tested first. In addition ruby 2.5 is in the process of being stabled. I will file separate stable bugs for 2.4 and (once tested) 2.5 as blockers for this bug.
Comment 2 Hans de Graaff gentoo-dev 2020-01-05 08:54:23 UTC
Cleanup done.
Comment 3 Sam James (sec padawan) 2020-03-26 19:37:07 UTC
(In reply to Hans de Graaff from comment #1)
> We unbundle rdoc from dev-lang/ruby, so the upstream ruby releases are not
> relevant for this security bug.
> 
> Fixed versions in the tree:
> 
> dev-ruby/rdoc-5.1.0-r1 (port from unrelease 5.x version upstream)
> dev-ruby/rdoc-6.1.2
> dev-ruby/rdoc-6.2.0
> 
> The ruby releases other than ruby 2.4.7 also contain additional changes that
> need to be tested first. In addition ruby 2.5 is in the process of being
> stabled. I will file separate stable bugs for 2.4 and (once tested) 2.5 as
> blockers for this bug.

Thank you for the summary, it is appreciated! :)