[DRE-maint] Bug#980057: ruby-redcarpet: CVE-2020-26298
Salvatore Bonaccorso
carnil at debian.org
Wed Jan 13 15:49:43 GMT 2021
Source: ruby-redcarpet
Version: 3.5.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for ruby-redcarpet.
CVE-2020-26298[0]:
| Redcarpet is a Ruby library for Markdown processing. In Redcarpet
| before version 3.5.1, there is an injection vulnerability which can
| enable a cross-site scripting attack. In affected versions no HTML
| escaping was being performed when processing quotes. This applies even
| when the `:escape_html` option was being used. This is fixed in
| version 3.5.1 by the referenced commit.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-26298
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26298
[1] https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
[2] https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list