Bug 15652 - ruby-redcarpet new security issue fixed upstream in 3.2.3
Summary: ruby-redcarpet new security issue fixed upstream in 3.2.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal minor
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/644039/
Whiteboard: advisory mga4-32-ok mga4-64-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-08 13:55 CEST by David Walser
Modified: 2015-05-12 19:08 CEST (History)
3 users (show)

See Also:
Source RPM: ruby-redcarpet-3.1.1-3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-08 13:55:57 CEST
A security issue fixed in ruby-redcarpet 3.2.3 has been announced:
http://openwall.com/lists/oss-security/2015/04/07/11

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-08 13:56:03 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-08 13:56:42 CEST
The upstream commit to fix the issue is linked in the message above.
Comment 2 David Walser 2015-05-04 23:46:55 CEST
Dropped from Cauldron for now.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 3 Nicolas Lécureuil 2015-05-11 08:53:32 CEST
just pushed in mga4 core/updates_testing

CC: (none) => mageia

Comment 4 David Walser 2015-05-11 14:14:21 CEST
Patched package uploaded for Mageia 4.  Thanks Nicolas!

I had missed it earlier, but MITRE declined to assign a CVE for this:
http://openwall.com/lists/oss-security/2015/04/20/6

We don't have any packages that require this, so marking this as low priority.

Advisory:
========================

Updated ruby-redcarpet packages fix security vulnerability:

Redcarpet allows for possible XSS of untrusted markdown if the autolink
extension is enabled.

References:
http://openwall.com/lists/oss-security/2015/04/07/11
========================

Updated packages in core/updates_testing:
========================
ruby-redcarpet-3.0.0-1.1.mga4
ruby-redcarpet-doc-3.0.0-1.1.mga4

from ruby-redcarpet-3.0.0-1.1.mga4.src.rpm

CC: (none) => pterjan
Assignee: pterjan => qa-bugs
Severity: normal => minor

Comment 5 claire robinson 2015-05-11 15:43:18 CEST
Testing complete mga4 32 

Just ensuring it updates cleanly during mga5 final release cycle.

Whiteboard: (none) => mga4-32-ok

Comment 6 claire robinson 2015-05-11 17:58:52 CEST
Advisory uploaded.

Whiteboard: mga4-32-ok => advisory mga4-32-ok

Comment 7 claire robinson 2015-05-11 19:39:54 CEST
Testing complete mga4 64

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: advisory mga4-32-ok => advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-05-11 22:11:34 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0206.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-12 19:08:30 CEST

URL: (none) => http://lwn.net/Vulnerabilities/644039/


Note You need to log in before you can comment on or make changes to this bug.