Bugzilla – Bug 963326
VUL-0: CVE-2015-7578: rubygem-rails-html-sanitizer: XSS vulnerability via attributes
Last modified: 2018-07-19 15:05:37 UTC
Created attachment 662970 [details] 1-0-sanitize_data_attributes.patch EMBARGOED via distros CRD: 2016-01-15 bundled in: OBS, Portus Possible XSS vulnerability in rails-html-sanitizer There is a possible XSS vulnerability in rails-html-sanitizer. This vulnerability has been assigned the CVE identifier CVE-2015-7578. Versions Affected: All. Not affected: None. Fixed Versions: 1.0.3 Impact ------ There is a possible XSS vulnerability in rails-html-sanitizer. Certain attributes are not removed from tags when they are sanitized, and these attributes can lead to an XSS attack on target applications. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 1-0-sanitize_data_attributes.patch - Patch for 1.0 series Credits ------- Thanks to Ben Murphy and Marien for reporting this
bugbot adjusting priority
CRD: 2016-01-25
public at http://seclists.org/oss-sec/2016/q1/204
regarding openSUSE, this package is in Leap
Jürgen, I saw your submission https://build.opensuse.org/request/show/356270 Could you check if fix for bug 963327 and bug 963328 are missing?
Hello Andreas, yes, they are missing. I will add this two patches the package and update my request.
This is the submission for openSUSE https://build.opensuse.org/request/show/356287
all submissions done. Assigning to security team.
openSUSE-SU-2016:0356-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 963326,963327,963328 CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580 Sources used: openSUSE Leap 42.1 (src): rubygem-rails-html-sanitizer-1.0.2-5.1
SUSE-SU-2016:0391-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 963326,963327,963328 CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580 Sources used: SUSE Enterprise Storage 2.1 (src): rubygem-rails-html-sanitizer-1.0.2-7.1
released i think
SUSE-SU-2016:1146-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 963326,963327,963328,963563,963604,963608,963617,963625,963627,969943 CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7578,CVE-2015-7579,CVE-2015-7580,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753,CVE-2016-2098 Sources used: SUSE Linux Enterprise Module for Containers 12 (src): portus-2.0.3-2.4