[DRE-maint] Bug#985569: Bug#985569: ruby-kramdown: CVE-2021-28834
Antonio Terceiro
terceiro at debian.org
Sat Apr 3 17:14:45 BST 2021
Hi,
On Sat, Mar 20, 2021 at 08:50:21AM +0100, Salvatore Bonaccorso wrote:
> Source: ruby-kramdown
> Version: 2.3.0-4
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://github.com/gettalong/kramdown/pull/708
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for ruby-kramdown.
>
> CVE-2021-28834[0]:
> | Kramdown before 2.3.1 does not restrict Rouge formatters to the
> | Rouge::Formatters namespace, and thus arbitrary classes can be
> | instantiated.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I just uploaded a fix for bullseye, and prepared the attached update for
buster. It passes its own autopkgtest, and I don't see the possibility
of any regressions in non-malicious code.
Let me know if I can go ahead and upload.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby-kramdown.buster.diff
Type: text/x-diff
Size: 3275 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20210403/0864b8af/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20210403/0864b8af/attachment.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list