-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2749
ruby-kramdown security update
11 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ruby-kramdown
Publisher: Debian
Operating System: Debian GNU/Linux 10
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14001
Reference: ESB-2020.2731
Original Bulletin:
http://www.debian.org/security/2020/dsa-4743
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4743-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 10, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : ruby-kramdown
CVE ID : CVE-2020-14001
Debian Bug : 965305
A flaw was discovered in ruby-kramdown, a fast, pure ruby, Markdown
parser and converter, which could result in unintended read access to
files or unintended embedded Ruby code execution when the {::options /}
extension is used together with the 'template' option.
The Update introduces a new option 'forbidden_inline_options' to
restrict the options allowed with the {::options /} extension. By
default the 'template' option is forbidden.
For the stable distribution (buster), this problem has been fixed in
version 1.17.0-1+deb10u1.
We recommend that you upgrade your ruby-kramdown packages.
For the detailed security status of ruby-kramdown please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ruby-kramdown
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl8xnUJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0S0IA//YpeuJBzeXpzyNEpQRTeAzitPekKGgdO7kSbmTaYMV/2dRgzEesjGqYrx
PPHRoyiQ/lc71ck8F6mck7m9fbfCiHSUwFmxgT+cb1nHI+jXhvBhUbtkiJCfQSmB
SUkjN8f5NZIbBW7nZ2h5H61X0vCl+Z6ceHPFPsmrfNLnNOdrTotv0C0LoWpz0zpd
uHSczPjnppVqk38FwXf2EWfFhL0hzOeJBr6R3fywkMk7o0i2YamzkgYONIGmynCr
uHOqaCZyRTR5UrSaq9o7MnljagbK6I64VxYG3W78ZmavCFw29ej4StGyWjWcF4Ib
iErJ7NYawQaVFnKToSQ+Z0h+RnF5o7fCtmEWCvTdlqOGLztfMaGnmCy3ZwXi5TtH
mRMZqflVgwxxuGdcJhVxAJfCzoix8oLKDT/5v6LddfPRsl0+DZaKS8TTrPvzvyOp
Amjcs01hnBj13ou2ptJDvD70R1nuREoZh6TKdnuKbmStuz6pGaRuxbc3B8rYQWYY
1GXqEzB/8hXZJfAJk2Q3p39cOQM9aVI7pCOwZgBfn31qDuaGz+GG21+/0E/GvsaJ
GQGX1yofH2Kl9DmzdpkYYf4OwauALCthlsFZlFlnIMeAVmgtJr2RCDBZGOaI0n2o
bLniQQQPEgC2ijElulgkKnBIKV+umHLQofGNvR9Z/W9IyP40LD8=
=xRGY
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXzH+l+NLKJtyKPYoAQgA2Q/+MxTmncMLZNkz3VB55CnV+W+RkTvdw/fU
9KZ7l1gievG/rPfZtXVKa5QwFYHGbUs7xZm6rUbmsMN1YUZu3ca4vKUpDdMKxW2C
04tmEoYu5NftuG2CuCuX0miLDJgVHIcGGJtHcyBB8qX0K+VTojDdl8rcIvkTmTj8
AYPKOmG82tU8Xbcb1FQO7uXpf6z+29IC5ZAzp1Y8iCCjvrMPU0oDBtCmHVGWXsva
JVjvKoqNPNY3kew7DbBCXv2Cjc/UX3G/Wmtpxktmh8gt62y/EEsnt+Sv5CVqw4uF
EwP0JaxwQec466X68IPUc+dmGtV86APD6/sDT4Wct3/ugh/VsihZoe9VoPzrejT2
cNMu97cX0X9nFUrio3U7rwm7mJdz706bcCcKtWJA8oqSARHytWXQYJykrKQCTY8p
8oN2LIiU//KEXhxiinfAniZdLV2QZI5bKwQDeKIn1gv3hKQ1eLo/Eg/H1MTZDHyb
8HjcYMisHNd+tpssGT6yeq+wgGhvmMW6AuipLyLzRAvo40aznJ7tJ6gB8z8SHhGZ
y7AgaH8FtHo55gLg9UVex6Bos7XGb6g2iJvPNvT+3Uhw1jxWV0e1/0JmVBVMU+rG
tc6rfUApCnBoADESeka3NrUG2RMummqAcjX7cBzTVkJwSxpMPD+d1MOhEEt/WACT
RPnK5fMjFEo=
=cB5G
-----END PGP SIGNATURE-----
https://www.malwaredevil.com/2020/08/11/esb-2020-2749-debian-ruby-kramdown-execute-arbitrary-code-commands-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2749-debian-ruby-kramdown-execute-arbitrary-code-commands-remote-unauthenticated
No comments:
Post a Comment