[SECURITY] [DLA 3901-1] ruby-loofah security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3901-1] ruby-loofah security update
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 28 Sep 2024 23:09:16 +0300
Message-id: <ZvhibBMOl/zSsg5K@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3901-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
September 28, 2024                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ruby-loofah
Version        : 2.7.0+dfsg-1+deb11u1
CVE ID         : CVE-2022-23514 CVE-2022-23515 CVE-2022-23516
Debian Bug     : 1026083

Multiple vulnerabilities have been fixed in ruby-loofah, a Ruby library 
for manipulating and transforming HTML/XML documents and fragments.

CVE-2022-23514

    slow regex attribute check with crass parser

CVE-2022-23515

    XSS with "image/svg+xml" in data URIs

CVE-2022-23516

    Uncontrolled CDATA recursion

For Debian 11 bullseye, these problems have been fixed in version
2.7.0+dfsg-1+deb11u1.

We recommend that you upgrade your ruby-loofah packages.

For the detailed security status of ruby-loofah please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-loofah

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmb4YmgACgkQiNJCh6LY
mLG5/A/9EbFhyLJ+/FLurJeabpEfl3LiILxvp2SphM2hTE6gUki+umTUmNvxqj7n
xcZPLb/v6e1OyUG/Xy0o7yaUU6iokv5zOmrIwxMWGsAA+FOkMapi7cTrhHM21x2Z
qRGVhGz5pfRFvAwv2pNmVuBRs2yRX/pJls3AN6t8waESUq55wMTSVxU3iwbUgQ3v
covkSZb7YswfV9NhIzlIJLY5bThGz5mewwC/3sWMEriovaCZcae0cWaw8xDRmaxe
8Vy+Sa8hFkdJzhCTJfCmWpCPpaShOiwDwBMfqKptaCvCgB2539IlYjaJAMRv5MRW
H7wF3G3gg8MuSkMZ7eIDjy7kNviiMBN3FzvSVMQBo/hv7V4XIY2uIF43FxneNeTC
RS7EJ8E6HnARkrkq/6snOmVchrpDDBnn0msUUxxNTJlokgbqu8bgLPFx8pjpZBbH
fvP1QzJs/bB3/jpRLg1if08ZGJK9u8FY3PpER/kKwp35hakhn5QSxPQ5GHOwnULY
g4ThmgUDzubIf6iAVsC3kROVX2i0sH7VKfZ0poWzrYD09qTqX24SXjgEW/+aqTiq
WWpd8ZD/cEeK58uyWfm54QVl3whqf16JxCm0XVWLq8kYDmTFyRuYbIxzbJLP5te1
kyKz5xWs+nRWY0KJivdwn15hhK080PDjnbz7vqZfBYmyf01+OHY=
=Ewl8
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3900-1] ruby-httparty security update
Next by Date: [SECURITY] [DLA 3902-1] ruby-rails-html-sanitizer security update
Previous by thread: [SECURITY] [DLA 3900-1] ruby-httparty security update
Next by thread: [SECURITY] [DLA 3902-1] ruby-rails-html-sanitizer security update
Index(es):
- Date
- Thread