RFC: ruby-loofah 2.2.3-1+deb10u2

To: debian-lts@lists.debian.org
Subject: RFC: ruby-loofah 2.2.3-1+deb10u2
From: Daniel Leidert <dleidert@debian.org>
Date: Mon, 13 Mar 2023 23:18:19 +0100
Message-id: <[🔎] 7ab20eb1364ebfa9cb2fe1e726e06a04405788b6.camel@debian.org>

Hi there,

I prepared my first LTS update. You can find it here:

https://salsa.debian.org/lts-team/packages/ruby-loofah

When I ran some test cases to see if all the vulnerabilities are fixed,
I discovered that there is a slight behavioral change:

As part of the fix for CVE-2022-23516, loofah will no longer remove
nested <script> sections, but escape the tags instead. They also
adjusted their tests for that. To demonstrate:

This:

<div><script><script>alert(1);</script></script></div>

resulted in:

<div>alert(1);</div>

and now it results in:

<div>&lt;script&gt;&lt;script&gt;alert(1);&lt;/script&gt;&lt;/script&gt;</div>

What do you think? I wonder if that is an acceptable change?

if you have any other feedback, please don't hesitate to leave it here.

Regards, Daniel

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: RFC: ruby-loofah 2.2.3-1+deb10u2
  - From: Anton Gladky <gladk@debian.org>
- Re: RFC: ruby-loofah 2.2.3-1+deb10u2
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: LTS upload of ruby-loofah
Next by Date: Re: RFC: ruby-loofah 2.2.3-1+deb10u2
Previous by thread: Re: LTS upload of ruby-loofah
Next by thread: Re: RFC: ruby-loofah 2.2.3-1+deb10u2
Index(es):
- Date
- Thread