There are multiple vulnerabilities about Cross-Site Scripting (XSS) in jQuery shipped with RDoc which bundled in Ruby. All Ruby users are recommended to update Ruby to the latest release which includes the fixed version of RDoc. Details The following vulnerabilities have been reported. CVE-2012-6708 CVE-2015-9251 It is strongly recommended for all Ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible. You also have to re-generate existing RDoc documentations to completely mitigate the vulnerabilities.
We unbundle rdoc from dev-lang/ruby, so the upstream ruby releases are not relevant for this security bug. Fixed versions in the tree: dev-ruby/rdoc-5.1.0-r1 (port from unrelease 5.x version upstream) dev-ruby/rdoc-6.1.2 dev-ruby/rdoc-6.2.0 The ruby releases other than ruby 2.4.7 also contain additional changes that need to be tested first. In addition ruby 2.5 is in the process of being stabled. I will file separate stable bugs for 2.4 and (once tested) 2.5 as blockers for this bug.
Cleanup done.
(In reply to Hans de Graaff from comment #1) > We unbundle rdoc from dev-lang/ruby, so the upstream ruby releases are not > relevant for this security bug. > > Fixed versions in the tree: > > dev-ruby/rdoc-5.1.0-r1 (port from unrelease 5.x version upstream) > dev-ruby/rdoc-6.1.2 > dev-ruby/rdoc-6.2.0 > > The ruby releases other than ruby 2.4.7 also contain additional changes that > need to be tested first. In addition ruby 2.5 is in the process of being > stabled. I will file separate stable bugs for 2.4 and (once tested) 2.5 as > blockers for this bug. Thank you for the summary, it is appreciated! :)
