Pullup ticket #6781 - requested by taca textproc/ruby-sanitize: security fix (CVE-2023-36823) Revisions pulled up: - textproc/ruby-sanitize/Makefile 1.3 - textproc/ruby-sanitize/distinfo 1.3 --- Module Name: pkgsrc Committed By: taca Date: Sun Jul 9 02:56:28 UTC 2023 Modified Files: pkgsrc/textproc/ruby-sanitize: Makefile distinfo Log Message: textproc/ruby-sanitize: update to 6.0.2 6.0.2 (2023-07-06) Bug Fixes * CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1. When using Sanitize's relaxed config or a custom config that allows <style> elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize. See the following security advisory for additional details: GHSA-f5ww-cq3m-q3g7 Thanks to @cure53 for finding this issue.diff -r1.2 -r1.2.4.1 pkgsrc/textproc/ruby-sanitize/Makefile
(bsiegert)
@@ -1,16 +1,16 @@ | @@ -1,16 +1,16 @@ | |||
1 | # $NetBSD: Makefile,v 1.2 2023/02/04 13:33:10 taca Exp $ | 1 | # $NetBSD: Makefile,v 1.2.4.1 2023/08/13 09:03:45 bsiegert Exp $ | |
2 | 2 | |||
3 | DISTNAME= sanitize-6.0.1 | 3 | DISTNAME= sanitize-6.0.2 | |
4 | CATEGORIES= textproc | 4 | CATEGORIES= textproc | |
5 | 5 | |||
6 | MAINTAINER= pkgsrc-users@NetBSD.org | 6 | MAINTAINER= pkgsrc-users@NetBSD.org | |
7 | HOMEPAGE= https://github.com/rgrove/sanitize/ | 7 | HOMEPAGE= https://github.com/rgrove/sanitize/ | |
8 | COMMENT= Allowlist-based HTML and CSS sanitizer | 8 | COMMENT= Allowlist-based HTML and CSS sanitizer | |
9 | LICENSE= mit | 9 | LICENSE= mit | |
10 | 10 | |||
11 | DEPENDS+= ${RUBY_PKGPREFIX}-crass>=1.0.2<1.1:../../www/ruby-crass | 11 | DEPENDS+= ${RUBY_PKGPREFIX}-crass>=1.0.2<1.1:../../www/ruby-crass | |
12 | DEPENDS+= ${RUBY_PKGPREFIX}-nokogiri>=1.12.0:../../textproc/ruby-nokogiri | 12 | DEPENDS+= ${RUBY_PKGPREFIX}-nokogiri>=1.12.0:../../textproc/ruby-nokogiri | |
13 | 13 | |||
14 | USE_LANGUAGES= # empty | 14 | USE_LANGUAGES= # empty | |
15 | 15 | |||
16 | .include "../../lang/ruby/gem.mk" | 16 | .include "../../lang/ruby/gem.mk" |
@@ -1,5 +1,5 @@ | @@ -1,5 +1,5 @@ | |||
1 | $NetBSD: distinfo,v 1.2 2023/02/04 13:33:10 taca Exp $ | 1 | $NetBSD: distinfo,v 1.2.4.1 2023/08/13 09:03:45 bsiegert Exp $ | |
2 | 2 | |||
3 | BLAKE2s (sanitize-6.0.1.gem) = 7cd8b6d8845065bf5c90b60e2aec935376b87115c0849294692c34cb960a13eb | 3 | BLAKE2s (sanitize-6.0.2.gem) = f44068d396c47968a2f858703761cca30e6f23414f4cebf8178d3012a96cb1e4 | |
4 | SHA512 (sanitize-6.0.1.gem) = 361141150022788dbb804230621f4003d50d82ce6c8767581a3ec74d61388088546f3105a60b440bedb602de1b06d3a3625218f9e0a23c19409fad3385151267 | 4 | SHA512 (sanitize-6.0.2.gem) = 2e83ecf0bcecaec56eaae2935d3f967d983d0dcdce76d358291a3dec1411c5e5e85b80ec3ab6d2d2718211eae6542796744278e9f9a4236157809027403295e1 | |
5 | Size (sanitize-6.0.1.gem) = 47616 bytes | 5 | Size (sanitize-6.0.2.gem) = 47616 bytes |