ArchLinux: 201910-4: ruby-rdoc: cross-site scripting

    Date03 Oct 2019
    CategoryArchLinux
    527
    Posted ByLinuxSecurity Advisories
    The package ruby-rdoc before version 6.1.2-1 is vulnerable to cross- site scripting.
    Arch Linux Security Advisory ASA-201910-4
    =========================================
    
    Severity: Medium
    Date    : 2019-10-02
    CVE-ID  : CVE-2012-6708 CVE-2015-9251
    Package : ruby-rdoc
    Type    : cross-site scripting
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1041
    
    Summary
    =======
    
    The package ruby-rdoc before version 6.1.2-1 is vulnerable to cross-
    site scripting.
    
    Resolution
    ==========
    
    Upgrade to 6.1.2-1.
    
    # pacman -Syu "ruby-rdoc>=6.1.2-1"
    
    The problems have been fixed upstream in version 6.1.2.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2012-6708 (cross-site scripting)
    
    jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS)
    attacks. The jQuery(strInput) function does not differentiate selectors
    from HTML in a reliable fashion. In vulnerable versions, jQuery
    determined whether the input was HTML by looking for the '<' character
    anywhere in the string, giving attackers more flexibility when
    attempting to construct a malicious payload. In fixed versions, jQuery
    only deems the input to be HTML if it explicitly starts with the '<'
    character, limiting exploitability only to attackers who can control
    the beginning of a string, which is far less common.
    
    - CVE-2015-9251 (cross-site scripting)
    
    jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks
    when a cross-domain Ajax request is performed without the dataType
    option, causing text/javascript responses to be executed.
    
    Impact
    ======
    
    An attacker is able to perform cross-side scripting attacks by tricking
    users to generate documentation with a vulnerable RDoc version. RDoc is
    a static documentation generation tool, patching the tool itself is
    insufficient to mitigate these vulnerabilities. Documentations
    generated with previous versions have to be re-generated with newer
    RDoc.
    
    References
    ==========
    
    https://bugs.archlinux.org/task/63978
    https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/
    https://bugs.jquery.com/ticket/11290
    https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d
    https://github.com/jquery/jquery/issues/2432
    https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc
    https://security.archlinux.org/CVE-2012-6708
    https://security.archlinux.org/CVE-2015-9251
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.