Opened 5 years ago
Closed 5 years ago
#12456 closed enhancement (fixed)
ruby-2.6.4
Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | high | Milestone: | 9.0 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
New point version.
Note:
See TracTickets
for help on using tickets.
This seems to be a security release for rdoc, fixing a vulnerability from 2012 and 2015.
There are multiple vulnerabilities about Cross-Site Scripting (XSS) in jQuery shipped with RDoc which bundled in Ruby. All Ruby users are recommended to update Ruby to the latest release which includes the fixed version of RDoc.
It is strongly recommended for all Ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible. You also have to re-generate existing RDoc documentations to completely mitigate the vulnerabilities. Affected Versions
Required actions
RDoc is a static documentation generation tool. Patching the tool itself is insufficient to mitigate these vulnerabilities.
So, RDoc documentations generated with previous versions have to be re-generated with newer RDoc. Workarounds
In principle, you should upgrade your Ruby installation to the latest version. RDoc 6.1.2 or later includes the fix for the vulnerabilities, so upgrade RDoc to the latest version if you can’t upgrade Ruby itself.
Note that as mentioned earlier, you have to regenerate existing RDoc documentations.
gem install rdoc -f
Update: The initial version of this post partially mentioned rdoc-6.1.1.gem, which was still vulnerable. Please make sure that you install rdoc-6.1.2 or later.
Regarding the development version, update to the latest HEAD of master branch. Credits
Thanks to Chris Seaton for reporting the issue.