CVE-2017-1002201 (https://nvd.nist.gov/vuln/detail/CVE-2017-1002201): In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.
Upstream patch: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2
All packages in the tree should work with haml:5, so we should mark this as stable and remove haml:4 afterwards.
x86 stable
ppc64 stable
ppc stable
amd64 stable
arm stable
@maintainer(s), ok to cleanup?
Masked for removal in 30 days.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 202007-27 at https://security.gentoo.org/glsa/202007-27 by GLSA coordinator Sam James (sam_c).