Opened 5 years ago

Closed 5 years ago

#12456 closed enhancement (fixed)

ruby-2.6.4

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: high Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (5)

comment:1 by Douglas R. Reno, 5 years ago

This seems to be a security release for rdoc, fixing a vulnerability from 2012 and 2015.

There are multiple vulnerabilities about Cross-Site Scripting (XSS) in jQuery shipped with RDoc which bundled in Ruby. All Ruby users are recommended to update Ruby to the latest release which includes the fixed version of RDoc.

Details

The following vulnerabilities have been reported.

    CVE-2012-6708
    CVE-2015-9251

It is strongly recommended for all Ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible. You also have to re-generate existing RDoc documentations to completely mitigate the vulnerabilities. Affected Versions

    Ruby 2.3 series: all
    Ruby 2.4 series: 2.4.6 and earlier
    Ruby 2.5 series: 2.5.5 and earlier
    Ruby 2.6 series: 2.6.3 and earlier
    prior to master commit f308ab2131ee675000926540cbb8c13c91dc3be5

Required actions

RDoc is a static documentation generation tool. Patching the tool itself is insufficient to mitigate these vulnerabilities.

So, RDoc documentations generated with previous versions have to be re-generated with newer RDoc. Workarounds

In principle, you should upgrade your Ruby installation to the latest version. RDoc 6.1.2 or later includes the fix for the vulnerabilities, so upgrade RDoc to the latest version if you can’t upgrade Ruby itself.

Note that as mentioned earlier, you have to regenerate existing RDoc documentations.

gem install rdoc -f

Update: The initial version of this post partially mentioned rdoc-6.1.1.gem, which was still vulnerable. Please make sure that you install rdoc-6.1.2 or later.

Regarding the development version, update to the latest HEAD of master branch. Credits

Thanks to Chris Seaton for reporting the issue.

History

    Originally published at 2019-08-28 09:00:00 UTC
    RDoc version fixed at 2019-08-28 11:50:00 UTC
    Minor language fixes at 2019-08-28 12:30:00 UTC
Last edited 5 years ago by Bruce Dubbs (previous) (diff)

comment:2 by Douglas R. Reno, 5 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 5 years ago

Milestone: 9.19.0

Push back to version 9.0.

comment:4 by Douglas R. Reno, 5 years ago

Priority: normalhigh

Promote to high

comment:5 by Douglas R. Reno, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r22075

Note: See TracTickets for help on using tickets.