Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 693028 (CVE-2012-6708, CVE-2015-9251) - <dev-ruby/rdoc{5.1.0-r1,6.1.2,6.2.0}: Multiple jQuery vulnerabilities
Summary: <dev-ruby/rdoc{5.1.0-r1,6.1.2,6.2.0}: Multiple jQuery vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2012-6708, CVE-2015-9251
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/201...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: ruby25-stable 693030 693358
Blocks:
  Show dependency tree
 
Reported: 2019-08-28 17:42 UTC by Hans de Graaff
Modified: 2020-03-26 19:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2019-08-28 17:42:24 UTC
There are multiple vulnerabilities about Cross-Site Scripting (XSS) in jQuery shipped with RDoc which bundled in Ruby. All Ruby users are recommended to update Ruby to the latest release which includes the fixed version of RDoc.
Details

The following vulnerabilities have been reported.

    CVE-2012-6708
    CVE-2015-9251

It is strongly recommended for all Ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible. You also have to re-generate existing RDoc documentations to completely mitigate the vulnerabilities.
Comment 1 Hans de Graaff gentoo-dev 2019-08-28 17:45:30 UTC
We unbundle rdoc from dev-lang/ruby, so the upstream ruby releases are not relevant for this security bug.

Fixed versions in the tree:

dev-ruby/rdoc-5.1.0-r1 (port from unrelease 5.x version upstream)
dev-ruby/rdoc-6.1.2
dev-ruby/rdoc-6.2.0

The ruby releases other than ruby 2.4.7 also contain additional changes that need to be tested first. In addition ruby 2.5 is in the process of being stabled. I will file separate stable bugs for 2.4 and (once tested) 2.5 as blockers for this bug.
Comment 2 Hans de Graaff gentoo-dev 2020-01-05 08:54:23 UTC
Cleanup done.
Comment 3 Sam James (sam_c) (security padawan) 2020-03-26 19:37:07 UTC
(In reply to Hans de Graaff from comment #1)
> We unbundle rdoc from dev-lang/ruby, so the upstream ruby releases are not
> relevant for this security bug.
> 
> Fixed versions in the tree:
> 
> dev-ruby/rdoc-5.1.0-r1 (port from unrelease 5.x version upstream)
> dev-ruby/rdoc-6.1.2
> dev-ruby/rdoc-6.2.0
> 
> The ruby releases other than ruby 2.4.7 also contain additional changes that
> need to be tested first. In addition ruby 2.5 is in the process of being
> stabled. I will file separate stable bugs for 2.4 and (once tested) 2.5 as
> blockers for this bug.

Thank you for the summary, it is appreciated! :)