From ${URL} : A Cross-Site Scripting (XSS) vulnerability was reported [1],[2] in the RedCloth rubygem. This has not been fixed upstream, but Redmine uses a copy of RedCloth and has a patch [3]. [1] https://gist.github.com/co3k/75b3cb416c342aa1414c [2] http://co3k.org/blog/redcloth-unfixed-xss-en [3] http://www.redmine.org/projects/redmine/repository/revisions/2212/diff/trunk/lib/redcloth3.rb @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2012-6684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6684): Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI.
The patch mentioned in the linked bugs is actually for an ancient version of redcloth that is no longer in the tree. Looking at the dependencies and the upstream developer comment I think we should mask this for removal. All packages that depend on this either do so for optional tests or to generate documentation. Affected packages: dev-ruby/coderay dev-ruby/railties:3.2 dev-ruby/sqlite3 dev-ruby/stringex dev-ruby/test-unit www-apps/jekyll
I have now applied a patch from debian that is still pending to be applied upstream. Arches, please test and mark stable: =dev-ruby/redcloth-4.2.9-r3
amd64 stable
x86 stable
Stable for PPC64.
Stable for HPPA.
Stable on alpha (took dev-libs/nspr-4.10.8 along as a dep).
Gah, wrong bug. disregard #8
Stable on alpha (for realz, this time).
ia64 stable
arm stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
23 Jul 2015; Manuel Rüger <mrueg@gentoo.org> -redcloth-4.2.9-r1.ebuild: Remove vulnerable.
Maintainer(s), Thank you for cleanup! No GLSA's for Cross-Site Scripting (XSS) as per policy. Closing noglsa
