[SECURITY] [DLA 3565-1] ruby-loofah security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3565-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
September 13, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ruby-loofah
Version : 2.2.3-1+deb10u2
CVE ID : CVE-2022-23514 CVE-2022-23515 CVE-2022-23516
Debian Bug : 1026083
Multiple vulnerabilities were discovered in Loofah, a Ruby library for
HTML/XML transformation and sanitization. An attacker could launch
cross-site scripting (XSS) and denial-of-service (DoS) attacks through
crafted HTML/XML documents.
CVE-2022-23514
Inefficient regular expression that is susceptible to excessive
backtracking when attempting to sanitize certain SVG
attributes. This may lead to a denial of service through CPU
resource consumption.
CVE-2022-23515
Cross-site scripting via the image/svg+xml media type in data
URIs.
CVE-2022-23516
Loofah uses recursion for sanitizing CDATA sections, making it
susceptible to stack exhaustion and raising a SystemStackError
exception. This may lead to a denial of service through CPU
resource consumption.
For Debian 10 buster, these problems have been fixed in version
2.2.3-1+deb10u2.
We recommend that you upgrade your ruby-loofah packages.
For the detailed security status of ruby-loofah please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-loofah
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmUBzRgACgkQDTl9HeUl
XjAMXBAAm1NhBGBxyGR5/4g4/SMXjuqzWzqiYs2NRwmxhpq3v0ALZnwanseNuvtf
ryue5Lial9UFCnh7g758bFOmao3UesCtTOdQzDQOkJ0ri247UGEbYd3p2oL3+i8i
YSKoKscGiL3RQ+IpfNy25p4oT/6bvPn7FHKGudSRnKhMqYh8ttDi9DweMEjXgPnv
XijxcB8KSB6X8dGUZjRXRXsG8KUZOzbvGJzrb//8Fmc7qwZUSJNakS4mENpwYgxN
vZB5IfB9p9sB8x/mKyFHD5O/y8hryk5ujnG6F4BfPmL3rWpqxaYXo1ehq8yGqkAy
6t/37RjQv4g2IRC/wjABZjJ1QV69fS4ZIilQG/hQgwUNT89uF15lDHNrCpNU76VF
24zytYqb3OnbiPbmaa0r5VOgPLv+OSB53lLUFz009/OjMHtq2TNPz9rj+7staG/P
A2qmUgjx3waBoMYVXgcJ1sUhkf/tOlQVx797EWjiUYl4xxcT2L5rIr4tQzPaW74P
MSgJBeSIspOKf5F2vnPuoEKNJt63biH7sbp+CBYFlwcaJ4rS+YHc5W1Lxawm/21I
XYtPXpEiw08YLFCc4ITgMcuPUVFIFXYswyG0VaONyLmRjLjT1LlWDCeA69tZ58KP
ja+HaaQ6uSir3WEtsLTl1XStK6Ep9h1CBRPxsnY1Hlx6qtkIVn0=
=dRUb
-----END PGP SIGNATURE-----
Reply to: