Fedora 32: marked FEDORA-2020-d714c08261

    Date 30 May 2020
    465
    Posted By LinuxSecurity Advisories
    New upstream release with bug and security fixes. Also, consolidates duplicate pakages marked and nodejs-marked. I tested upgrades from both, but may have missed some wonky situation.
    --------------------------------------------------------------------------------
    Fedora Update Notification
    FEDORA-2020-d714c08261
    2020-05-31 03:28:10.749569
    --------------------------------------------------------------------------------
    
    Name        : marked
    Product     : Fedora 32
    Version     : 1.1.0
    Release     : 3.fc32
    URL         : https://github.com/markedjs/marked
    Summary     : A markdown parser for Node.js built for speed
    Description :
    Install this for command line tool and man page.
    
    marked is a full-featured markdown compiler that can parse huge chunks of
    markdown without having to worry about caching the compiled output or
    blocking for an unnecessarily long time.
    
    marked is extremely fast and frequently outperforms similar markdown parsers.
    marked is very concise and still implements all markdown features, as well
    as GitHub Flavored Markdown features.
    
    marked more or less passes the official markdown test suite in its entirety.
    This is important because a surprising number of markdown compilers cannot
    pass more than a few tests.
    
    --------------------------------------------------------------------------------
    Update Information:
    
    New upstream release with bug and security fixes.  Also, consolidates duplicate
    pakages marked and nodejs-marked.  I tested upgrades from both, but may have
    missed some wonky situation.
    --------------------------------------------------------------------------------
    ChangeLog:
    
    * Fri May 22 2020 Stuart Gathman  - 1.1.0-3
    - Move web assets to js-marked
    * Fri May 22 2020 Stuart Gathman  - 1.1.0-2
    - Move module files to nodejs-marked
    - Fix shebang no longer autofixed in /usr/lib/node_modules
    * Fri May 22 2020 Stuart Gathman  - 1.1.0-1
    - New upstream release
    - CVE-2015-8854 ReDos fixed in 0.3.9
    - bz#1529736 bz#1529738 - XSS w/ mangling disabled fixed in 0.3.9
    - bz#1702320 ReDos vuln - CVE removed, problem not in marked
    - CVE-2016-1000013 fixed in 0.7.0
    - CVE-2017-17461 ReDos in dependency (still open)
    - CVE-2017-1000427 XSS via data URI fixed in 0.3.7
    --------------------------------------------------------------------------------
    References:
    
      [ 1 ] Bug #1185162 - NodeJS marked: VBScript Content Injection [epel-all]
            https://bugzilla.redhat.com/show_bug.cgi?id=1185162
      [ 2 ] Bug #1186221 - marked-1.1.0 is available
            https://bugzilla.redhat.com/show_bug.cgi?id=1186221
      [ 3 ] Bug #1328407 - CVE-2016-1000013 marked: sanitization bypass using HTML [epel-6]
            https://bugzilla.redhat.com/show_bug.cgi?id=1328407
      [ 4 ] Bug #1328408 - CVE-2016-1000013 marked: sanitization bypass using HTML [epel-7]
            https://bugzilla.redhat.com/show_bug.cgi?id=1328408
      [ 5 ] Bug #1329535 - CVE-2015-8854 marked: regular expression denial of service [epel-6]
            https://bugzilla.redhat.com/show_bug.cgi?id=1329535
      [ 6 ] Bug #1329537 - CVE-2015-8854 marked: regular expression denial of service [epel-7]
            https://bugzilla.redhat.com/show_bug.cgi?id=1329537
      [ 7 ] Bug #1417926 - CVE-2017-1000427 marked: Cross-site scripting via Data URIs [epel-7]
            https://bugzilla.redhat.com/show_bug.cgi?id=1417926
      [ 8 ] Bug #1417927 - CVE-2017-1000427 marked: Cross-site scripting via Data URIs [fedora-all]
            https://bugzilla.redhat.com/show_bug.cgi?id=1417927
      [ 9 ] Bug #1417928 - CVE-2017-1000427 marked: Cross-site scripting via Data URIs [epel-6]
            https://bugzilla.redhat.com/show_bug.cgi?id=1417928
      [ 10 ] Bug #1529729 - marked: Cross-site Scripting (XSS) attacks via hexadecimal form of HTML [fedora-all]
            https://bugzilla.redhat.com/show_bug.cgi?id=1529729
      [ 11 ] Bug #1529730 - marked: Cross-site Scripting (XSS) attacks via hexadecimal form of HTML [epel-all]
            https://bugzilla.redhat.com/show_bug.cgi?id=1529730
      [ 12 ] Bug #1529737 - marked: Cross-site Scripting (XSS) via autolink with mangling disabled [fedora-all]
            https://bugzilla.redhat.com/show_bug.cgi?id=1529737
      [ 13 ] Bug #1529738 - marked: Cross-site Scripting (XSS) via autolink with mangling disabled [epel-all]
            https://bugzilla.redhat.com/show_bug.cgi?id=1529738
      [ 14 ] Bug #1550778 - marked: Regular expression denial of service in marked.js [epel-all]
            https://bugzilla.redhat.com/show_bug.cgi?id=1550778
      [ 15 ] Bug #1550779 - marked: Regular expression denial of service in marked.js [fedora-all]
            https://bugzilla.redhat.com/show_bug.cgi?id=1550779
      [ 16 ] Bug #1702320 - marked: Regular expression denial of service in inline.text regex [epel-all]
            https://bugzilla.redhat.com/show_bug.cgi?id=1702320
    --------------------------------------------------------------------------------
    
    This update can be installed with the "dnf" update program. Use
    su -c 'dnf upgrade --advisory FEDORA-2020-d714c08261' at the command
    line. For more information, refer to the dnf documentation available at
    https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
    
    All packages are signed with the Fedora Project GPG key. More details on the
    GPG keys used by the Fedora Project can be found at
    https://fedoraproject.org/keys
    --------------------------------------------------------------------------------
    _______________________________________________
    package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it.
    To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it.
    Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
    List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
    List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it.
    

    LinuxSecurity Poll

    How do you feel about the elimination of the terms 'blacklist' and 'slave' from the Linux kernel?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/32-how-do-you-feel-about-the-elimination-of-the-terms-blacklist-and-slave-from-the-linux-kernel?task=poll.vote&format=json
    32
    radio
    [{"id":"112","title":"I strongly support this change - racially charged language should not be used in the code and documentation of the kernel and other open-source projects.","votes":"3","type":"x","order":"1","pct":42.86,"resources":[]},{"id":"113","title":"I'm indifferent - this small change will not affect broader issues of racial insensitivity and white privilege.","votes":"2","type":"x","order":"2","pct":28.57,"resources":[]},{"id":"114","title":"I'm opposed to this change - there is no need to change language that has been used for years. It doesn't make sense for people to take offense to terminology used in community projects.","votes":"2","type":"x","order":"3","pct":28.57,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.