ALT-PU-2021-1602-1
Package gem-kramdown updated to version 2.3.1-alt1 for branch sisyphus in task 268972.
Closed vulnerabilities
BDU:2021-03178
Уязвимость компонента kramdown gem интерпретатора Ruby, позволяющая нарушителю выполнить произвольный код
BDU:2022-00305
Уязвимость средств форматирования Rouge программы для грамматического разбора и преобразования формата Markdown Kramdown, связанная с применением входных данных с внешним управлением для выбора классов, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2020-14001
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
- https://github.com/gettalong/kramdown
- https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
- https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0
- https://kramdown.gettalong.org
- https://kramdown.gettalong.org/news.html
- [fluo-notifications] 20200808 [GitHub] [fluo-website] ctubbsii opened a new pull request #194: Update gems
- [debian-lts-announce] 20200809 [SECURITY] [DLA 2316-1] ruby-kramdown security update
- FEDORA-2020-5c70d97eca
- FEDORA-2020-f6eee9a2d3
- https://rubygems.org/gems/kramdown
- https://security.netapp.com/advisory/ntap-20200731-0004/
- USN-4562-1
- DSA-4743
- https://github.com/gettalong/kramdown
- DSA-4743
- USN-4562-1
- https://security.netapp.com/advisory/ntap-20200731-0004/
- https://rubygems.org/gems/kramdown
- FEDORA-2020-f6eee9a2d3
- FEDORA-2020-5c70d97eca
- [debian-lts-announce] 20200809 [SECURITY] [DLA 2316-1] ruby-kramdown security update
- [fluo-notifications] 20200808 [GitHub] [fluo-website] ctubbsii opened a new pull request #194: Update gems
- https://kramdown.gettalong.org/news.html
- https://kramdown.gettalong.org
- https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0
- https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
Modified: 2024-11-21
CVE-2021-28834
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
- https://github.com/gettalong/kramdown/compare/REL_2_3_0...REL_2_3_1
- https://github.com/gettalong/kramdown/compare/REL_2_3_0...REL_2_3_1
- https://github.com/gettalong/kramdown/pull/708
- https://github.com/gettalong/kramdown/pull/708
- https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66
- https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66
- FEDORA-2021-edc673e864
- FEDORA-2021-edc673e864
- FEDORA-2021-139a6a2f9d
- FEDORA-2021-139a6a2f9d
- FEDORA-2021-4c57a892d1
- FEDORA-2021-4c57a892d1
- DSA-4890
- DSA-4890