Security fix: OSVDB-120415 - Upgrade redcarpet to 3.2 #3652

Merged
merged 1 commit into from Apr 13, 2015

Conversation

Projects
None yet
4 participants
@christianvuerings
Contributor

christianvuerings commented Apr 13, 2015

Note: Please release a new gem version of jekyll after merging this.

More information at: http://osvdb.org/show/osvdb/120415

redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the parse_inline() function in markdown.c does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

diaspora/diaspora@9fc00d0
fiedl/your_platform@8e707eb
http://social.schiessle.org/display/b38b1460c2b201329b1f4860008dbc6c
https://gemnasium.com/gems/redcarpet/versions/3.2.3

/cc @parkr @envygeeks

Security fix: OSVDB-120415 - Upgrade redcarpet to 3.2
*Note*: Please release a new gem version of jekyll after merging this.

More information at:
http://osvdb.org/show/osvdb/120415

`redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the parse_inline() function in markdown.c does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.`

diaspora/diaspora@9fc00d0
fiedl/your_platform@8e707eb
http://social.schiessle.org/display/b38b1460c2b201329b1f4860008dbc6c
https://gemnasium.com/gems/redcarpet/versions/3.2.3

/cc @parkr @envygeeks
@parkr

This comment has been minimized.

Show comment
Hide comment
@parkr

parkr Apr 13, 2015

Member

Hey @ChristianV! Would you mind explaining to me how this affects Jekyll, vendors that run Jekyll, and Jekyll-created sites? Each site is static, so generally they don't accept user input except by the site creator herself or himself.

Member

parkr commented Apr 13, 2015

Hey @ChristianV! Would you mind explaining to me how this affects Jekyll, vendors that run Jekyll, and Jekyll-created sites? Each site is static, so generally they don't accept user input except by the site creator herself or himself.

@christianvuerings

This comment has been minimized.

Show comment
Hide comment
@christianvuerings

christianvuerings Apr 13, 2015

Contributor

@parkr indeed, this would only happen in a use case where the site creator e.g. copy/pastes something themselves and pushes it up.

This is probably not super critical but I would suggest upgrading nonetheless.

Contributor

christianvuerings commented Apr 13, 2015

@parkr indeed, this would only happen in a use case where the site creator e.g. copy/pastes something themselves and pushes it up.

This is probably not super critical but I would suggest upgrading nonetheless.

@@ -2,7 +2,7 @@ source 'https://rubygems.org'
gemspec
gem 'pygments.rb', '~> 0.6.0'
-gem 'redcarpet', '~> 3.1'
+gem 'redcarpet', '~> 3.2.3'

This comment has been minimized.

@parkr

parkr Apr 13, 2015

Member

This unnecessarily locks the user to using 3.2.x, instead of 3.x. I believe you can declare this as ~> 3.2, >= 3.2.3.

@parkr

parkr Apr 13, 2015

Member

This unnecessarily locks the user to using 3.2.x, instead of 3.x. I believe you can declare this as ~> 3.2, >= 3.2.3.

@parkr

This comment has been minimized.

Show comment
Hide comment
@parkr

parkr Apr 13, 2015

Member

Keep in mind that this Gemfile is for Jekyll 3.x and is not shipped with the gem. That would be the 2.5-stable branch, I believe.

Member

parkr commented Apr 13, 2015

Keep in mind that this Gemfile is for Jekyll 3.x and is not shipped with the gem. That would be the 2.5-stable branch, I believe.

parkr added a commit that referenced this pull request Apr 13, 2015

@parkr parkr merged commit f645cd3 into jekyll:master Apr 13, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

parkr added a commit that referenced this pull request Apr 13, 2015

parkr added a commit that referenced this pull request Apr 13, 2015

@DomT4 DomT4 referenced this pull request in Homebrew/brew.sh Apr 13, 2015

Closed

redcarpet vulnerability #75

@envygeeks

This comment has been minimized.

Show comment
Hide comment
@envygeeks

envygeeks Apr 13, 2015

Contributor

This does affect our other services (that are not static.) so they are going down right now to be upgraded with the latest version of Redcarpet we can pull. Thank you for the security report, I have also forwarded it to Ubuntu Security Team.

Contributor

envygeeks commented Apr 13, 2015

This does affect our other services (that are not static.) so they are going down right now to be upgraded with the latest version of Redcarpet we can pull. Thank you for the security report, I have also forwarded it to Ubuntu Security Team.

@christianvuerings christianvuerings deleted the christianvuerings:security-fix-redcarpet branch Apr 13, 2015

@jekyll jekyll locked and limited conversation to collaborators Feb 27, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.