Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2450
ruby-sanitize security update
20 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ruby-sanitize
Publisher: Debian
Operating System: Debian GNU/Linux 10
Impact/Access: Cross-site Scripting -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-4054
Original Bulletin:
http://www.debian.org/security/2020/dsa-4730
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4730-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 19, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : ruby-sanitize
CVE ID : CVE-2020-4054
Debian Bug : 963808
Michal Bentkowski discovered that ruby-sanitize, a whitelist-based HTML
sanitizer, is prone to a HTML sanitization bypass vulnerability when
using the "relaxed" or a custom config allowing certain elements.
Content in a <math> or <svg> element may not be sanitized correctly even
if math and svg are not in the allowlist.
For the stable distribution (buster), this problem has been fixed in
version 4.6.6-2.1~deb10u1.
We recommend that you upgrade your ruby-sanitize packages.
For the detailed security status of ruby-sanitize please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ruby-sanitize
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl8Um/NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SAVhAAgviIXl5xjKrq0Bex8oFTZKZQr3KZbkrcZx8ViBHz50FctPc6/Rx9/xrC
KkA9HdMNga60ux1LcoT3bYFCKP1h2cCx8NyYh+9zN7YwpIJpWZXl1Vf1OIYt8D6R
L4DZnxXxqIvtFmhBClFC4ENeI96gqj+L95KGqakgVhhPpOIHwK5OzYwaT+AUxxnA
25vm0v9pPXkWridz0HLbUXc41NfbX8X18GGnNN0uE62jgTuKrYEwqu++ktbrpwwS
fby6yiUrqGvPjjkYu8TN4930T0mlxe2roNrq5FaTolpT3u2C3/zDwjRmgZgb/3WX
a6OtA3qrM8WFly6UuTyST49OrvatLKAwHyk3jXtmdpiUmGw/Jb+wpDwFz7RLFKOA
IELcTXQV0TKJalfRbZHA1u2Pl0aLXRIx+UjDjkSEq0QApzBIIPAr4JA5eAs/yNb0
Ws3ImOe62xK1Nc8XsYccb/SNmluKZCJLnqUOYSL5yJw6/JZMj5gMM8hDAkc2T7s5
ao9E+oQCaw734qKtdPKmd7MYEsRpqEp+QLTkJTV3pn4v5efYdtqrmLVmiaPE0Dw9
CoqtHLD3RfRBKCX8tfdoKpL5GlzLI84XWCQutWRRV0icXlU+qnbYR1tqMR5PGtQo
/H53BgdxHlscmYMl4ey6R/TUS04Mn5O9eRpwrxbgRozpV4GcqIU=
=rbQg
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXxT6ieNLKJtyKPYoAQjtcw/+KSmYfKGzJKbDrWQw+QE2GjZRm8HcO03k
Vs/KKYY0VWYudj59Z4fvqYluIJYI8EA3H2MjiEbbW5e28yhPwucnUb79pOGN079f
49bUU1FxaPS3pZQdXAyYEdmjvdxqWbVyKrmmZ4R2CgLeRGAQl8urOz1+JhaPb/3C
rG1Q2sK8jrEyfnthyNR+S1GwdkxVlui0bCXcmlIYqYqk1Wq3RVV9PkWBMmDt7ONO
basOC5JnsNBQEJ+DeSpuJVDOi4c8VzY4V0GN59nOwAbbKIkqjhZZKfYp69+sJTaa
xuunKc2+W4Bz/16cVhnfONkifzxIqyB3RO7sCSwcmUjzlHOiZyDIjxPizUT5+/8P
xZw4l+fDjkfOh+6MISROmS7jjfH9QjEyZS/KtGIx/yPjZykG2jxMHB6GeXsxJBgI
VPFFivJJA20GXe8NulzhIn3C9IXHV0g8MmFHm9V0UGVFcStEmDtDrAySdeN8pXN3
trGro7KHqgV9pkhE/y1Jiof6Om6D5sgKd6McSSm6gpacyWiFxMSeAV8CmnpP4QSi
pcxFKJtp+zIG6gnuzzYYWSpmGfbuyZYCdRKumMAGLXZYuASFxBJnPgZ/7Kg7WFgd
xZcol4GQWSft5e3L+AFUZ/13m6LxrNdki90unGyjc6fKHWpbPDD3FZ0NSzE06+ul
KYFA8bdBNYQ=
=HXtD
-----END PGP SIGNATURE-----