In haml versions prior to version 5.0.0.beta.2, when using user input to
perform tasks on the server, characters like < > " ' must be escaped
properly. In this case, the ' character was missed. An attacker can
manipulate the input to introduce additional attributes, potentially
Upstream patch: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2
All packages in the tree should work with haml:5, so we should mark this as stable and remove haml:4 afterwards.
@maintainer(s), ok to cleanup?
Masked for removal in 30 days.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
This issue was resolved and addressed in
GLSA 202007-27 at https://security.gentoo.org/glsa/202007-27
by GLSA coordinator Sam James (sam_c).