Bug 765013 (CVE-2020-26298)

Summary:	<dev-ruby/redcarpet-3.5.1: XSS vulnerability (CVE-2020-26298)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ruby
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
Whiteboard:	B4 [noglsa]
Package list:	dev-ruby/redcarpet-3.5.1 amd64 arm arm64 ppc ppc64 x86	Runtime testing required:	---

Description Sam James archtester

2021-01-11 22:02:57 UTC

"Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit."

Comment 1 Sam James archtester

2021-01-11 22:03:12 UTC

Let us know when ready to stable, thanks!

Comment 2 Sam James archtester

2021-01-12 12:05:09 UTC

ppc64 done

Comment 3 Sam James archtester

2021-01-18 02:55:24 UTC

ppc done

Comment 4 Agostino Sarubbo gentoo-dev

2021-01-21 07:41:42 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2021-01-24 12:11:25 UTC

x86 stable

Comment 6 Sam James archtester

2021-01-24 21:51:37 UTC

arm done

Comment 7 Sam James archtester

2021-01-24 21:52:12 UTC

arm64 done

all arches done

Comment 8 Sam James archtester

2021-01-24 21:53:56 UTC

Please cleanup, thanks!

Comment 9 Hans de Graaff gentoo-dev

2021-01-28 05:58:00 UTC

Cleanup done.

Comment 10 John Helmert III archtester

2021-01-28 15:35:22 UTC

(In reply to Hans de Graaff from comment #9)
> Cleanup done.

Thank you!