[SECURITY] [DLA 3902-1] ruby-rails-html-sanitizer security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3902-1] ruby-rails-html-sanitizer security update
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 28 Sep 2024 23:31:47 +0300
Message-id: <[🔎] Zvhns6nxuiMppmB7@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3902-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
September 28, 2024                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ruby-rails-html-sanitizer
Version        : 1.3.0-1+deb11u1
CVE ID         : CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520 
                 CVE-2022-32209
Debian Bug     : 1013806 1027153

Multiple vulnerabilities have been fixed in ruby-rails-html-sanitizer,
a Ruby library for sanitizing HTML fragments in Rails applications.

CVE-2022-23517

    Inefficient Regular Expression Complexity

CVE-2022-23518

    XSS in data URIs

CVE-2022-23519
CVE-2022-23520
CVE-2022-32209

    XSS vulnerability

For Debian 11 bullseye, these problems have been fixed in version
1.3.0-1+deb11u1.

We recommend that you upgrade your ruby-rails-html-sanitizer packages.

For the detailed security status of ruby-rails-html-sanitizer please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rails-html-sanitizer

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmb4Z7MACgkQiNJCh6LY
mLFMSRAAtY+ZvAUuVCUtae+bYgCxOTDxeOM+qAKcJCuCtNAarXLLnmDLmuTOHOkw
cBbTx/qdq9BM3oYYQE4L3oQ5OqayVH9Pwt94tGK5rp7h4AnvYqKAlgTcROm/oji4
Yq0rHIc7C1lzZNhdpIg82zSzbW+RSLgF48NgJ+AdtMMYKm3MR71yhMR/yD2/pqsR
W/3YNNkE2OwHm1CycglWKu2NNWR6uXSzKSMRyxc1lH94+Cis5HMguYsibAwXE1Sz
m7I+qxAkB3j0Gbs8QtFAUywzQrSpDzBuyLqD38Izhk5fZdXlZpgdQeJT8DrKy5pj
Fych6bjaPcsn7GRYZHSL0w9r061amHE5uiHukOzPQzrtSqYl9Hdx7wxSAITvhyTJ
25wQG/KOkA+y4nHvLAhtcvIELrJxfP0vUF4k90RU+dLI6loo0SgRSRWBFaWUgnrc
XGTB+PQYYei46nLEHeI8WWccoce0kJkYWFxgdw15boPmINyeQu3qPSymqZQWuEgR
/89AHofcV0eb2M675oIFbnm6HnQ5mX4/OVfJ0NgGULQnMUWISUWetiyDgCPpDz+g
dmYO1hqs2QbNFHyoY4D9tT08m6wJYgBmTSVjlmeeKtNmzLzEw8nAk8UzV8AgyEZR
98QEtXiqu7E1RVbd92jVYkYhl81Y6CHzrfoQG0ohibO5uMd8u7o=
=N0rK
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3901-1] ruby-loofah security update
Next by Date: [SECURITY] [DLA 3903-1] unbound security update
Previous by thread: [SECURITY] [DLA 3901-1] ruby-loofah security update
Next by thread: [SECURITY] [DLA 3903-1] unbound security update
Index(es):
- Date
- Thread