svn commit: r386399 - head/security/vuxml
Michael Moll
mmoll at FreeBSD.org
Fri May 15 12:02:58 UTC 2015
Author: mmoll
Date: Fri May 15 12:02:57 2015
New Revision: 386399
URL: https://svnweb.freebsd.org/changeset/ports/386399
Log:
security/vuxml: document vulnerability in rubygem-redcarpet <3.2.3
PR: 200195
Differential Revision: https://reviews.freebsd.org/D2548
Submitted by: Sevan Janiyan <venture37 at geeklan.co.uk>
Approved by: mat (mentor)
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Fri May 15 10:53:59 2015 (r386398)
+++ head/security/vuxml/vuln.xml Fri May 15 12:02:57 2015 (r386399)
@@ -57,6 +57,35 @@ Notes:
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="c368155a-fa83-11e4-bc58-001e67150279">
+ <topic>rubygem-redcarpet -- XSS vulnerability</topic>
+ <affects>
+ <package>
+ <name>rubygem-redcarpet</name>
+ <range><lt>3.2.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Daniel LeCheminant reports:</p>
+ <blockquote cite="https://hackerone.com/reports/46916">
+ <p>When markdown is being presented as HTML, there seems to be a
+ strange interaction between _ and @ that lets an attacker insert
+ malicious tags.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <mlist>http://openwall.com/lists/oss-security/2015/04/07/11</mlist>
+ <url>https://hackerone.com/reports/46916</url>
+ <url>http://danlec.com/blog/bug-in-sundown-and-redcarpet</url>
+ </references>
+ <dates>
+ <discovery>2015-04-07</discovery>
+ <entry>2015-05-14</entry>
+ </dates>
+ </vuln>
+
<vuln vid="57325ecf-facc-11e4-968f-b888e347c638">
<topic>ufraw -- integer overflow condition</topic>
<affects>
More information about the svn-ports-all
mailing list