Debian Security Advisory

DSA-4743-1 ruby-kramdown -- security update

Date Reported:
10 Aug 2020
Affected Packages:
ruby-kramdown
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 965305.
In Mitre's CVE dictionary: CVE-2020-14001.
More information:

A flaw was discovered in ruby-kramdown, a fast, pure ruby, Markdown parser and converter, which could result in unintended read access to files or unintended embedded Ruby code execution when the {::options /} extension is used together with the template option.

The update introduces a new option forbidden_inline_options to restrict the options allowed with the {::options /} extension. By default the template option is forbidden.

For the stable distribution (buster), this problem has been fixed in version 1.17.0-1+deb10u1.

We recommend that you upgrade your ruby-kramdown packages.

For the detailed security status of ruby-kramdown please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-kramdown