A security issue fixed in ruby-redcarpet 3.2.3 has been announced: http://openwall.com/lists/oss-security/2015/04/07/11 Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
The upstream commit to fix the issue is linked in the message above.
Dropped from Cauldron for now.
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
just pushed in mga4 core/updates_testing
CC: (none) => mageia
Patched package uploaded for Mageia 4. Thanks Nicolas! I had missed it earlier, but MITRE declined to assign a CVE for this: http://openwall.com/lists/oss-security/2015/04/20/6 We don't have any packages that require this, so marking this as low priority. Advisory: ======================== Updated ruby-redcarpet packages fix security vulnerability: Redcarpet allows for possible XSS of untrusted markdown if the autolink extension is enabled. References: http://openwall.com/lists/oss-security/2015/04/07/11 ======================== Updated packages in core/updates_testing: ======================== ruby-redcarpet-3.0.0-1.1.mga4 ruby-redcarpet-doc-3.0.0-1.1.mga4 from ruby-redcarpet-3.0.0-1.1.mga4.src.rpm
CC: (none) => pterjanAssignee: pterjan => qa-bugsSeverity: normal => minor
Testing complete mga4 32 Just ensuring it updates cleanly during mga5 final release cycle.
Whiteboard: (none) => mga4-32-ok
Advisory uploaded.
Whiteboard: mga4-32-ok => advisory mga4-32-ok
Testing complete mga4 64 Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: advisory mga4-32-ok => advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0206.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/644039/