From $URL : Jan Lieskovsky 2013-02-05 05:56:14 EST A cross-site scripting (XSS) flaw was found in the way Darkfish Rdoc HTML generator / template of RDoc, HTML and command-line documentation producing tool for Ruby, performed sanitization of certain values when creating Rdoc documentation. When Ruby on Rails application exposed its documentation via network, a remote attacker could provide a specially-crafted URL that, when opened would lead to arbitrary web script or HTML code execution in the context of (particular Ruby on Rails application) user's session. This issue affects RDoc versions 2.3.0 to 3.12.
=dev-ruby/rdoc-3.12.1 is in the tree with fixes for this. Note that we remove the bundled versions of rdoc in dev-lang/ruby* and only use this gem.
(In reply to comment #1) > =dev-ruby/rdoc-3.12.1 is in the tree with fixes for this. Note that we > remove the bundled versions of rdoc in dev-lang/ruby* and only use this gem. Thanks, Hans. Arches, please test and mark stable.
amd64 stable
x86 stable
ia64 stable
hppa stable
arm stable
ppc stable
ppc64 stable
sparc stable
s390 stable
alpha stable
sh stable
CVE-2013-0256 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0256): darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.
Ready for vote, I vote NO.
GLSA vote: no, XSS. Closing noglsa.