Bug 15652

Summary: ruby-redcarpet new security issue fixed upstream in 3.2.3
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: minor    
Priority: Normal CC: mageia, pterjan, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/644039/
Whiteboard: advisory mga4-32-ok mga4-64-ok
Source RPM: ruby-redcarpet-3.1.1-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-04-08 13:55:57 CEST 
A security issue fixed in ruby-redcarpet 3.2.3 has been announced:
http://openwall.com/lists/oss-security/2015/04/07/11

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-08 13:56:03 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-08 13:56:42 CEST 
The upstream commit to fix the issue is linked in the message above.
Comment 2 David Walser 2015-05-04 23:46:55 CEST 
Dropped from Cauldron for now.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 3 Nicolas Lécureuil 2015-05-11 08:53:32 CEST 
just pushed in mga4 core/updates_testing

CC: (none) => mageia

Comment 4 David Walser 2015-05-11 14:14:21 CEST 
Patched package uploaded for Mageia 4.  Thanks Nicolas!

I had missed it earlier, but MITRE declined to assign a CVE for this:
http://openwall.com/lists/oss-security/2015/04/20/6

We don't have any packages that require this, so marking this as low priority.

Advisory:
========================

Updated ruby-redcarpet packages fix security vulnerability:

Redcarpet allows for possible XSS of untrusted markdown if the autolink
extension is enabled.

References:
http://openwall.com/lists/oss-security/2015/04/07/11
========================

Updated packages in core/updates_testing:
========================
ruby-redcarpet-3.0.0-1.1.mga4
ruby-redcarpet-doc-3.0.0-1.1.mga4

from ruby-redcarpet-3.0.0-1.1.mga4.src.rpm

CC: (none) => pterjan
Assignee: pterjan => qa-bugs
Severity: normal => minor

Comment 5 claire robinson 2015-05-11 15:43:18 CEST 
Testing complete mga4 32 

Just ensuring it updates cleanly during mga5 final release cycle.

Whiteboard: (none) => mga4-32-ok

Comment 6 claire robinson 2015-05-11 17:58:52 CEST 
Advisory uploaded.

Whiteboard: mga4-32-ok => advisory mga4-32-ok

Comment 7 claire robinson 2015-05-11 19:39:54 CEST 
Testing complete mga4 64

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: advisory mga4-32-ok => advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-05-11 22:11:34 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0206.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-12 19:08:30 CEST

URL: (none) => http://lwn.net/Vulnerabilities/644039/