Debian Security Advisory
DSA-4743-1 ruby-kramdown -- security update
- Date Reported:
- 10 Aug 2020
- Affected Packages:
- ruby-kramdown
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 965305.
In Mitre's CVE dictionary: CVE-2020-14001. - More information:
-
A flaw was discovered in ruby-kramdown, a fast, pure ruby, Markdown parser and converter, which could result in unintended read access to files or unintended embedded Ruby code execution when the {::options /} extension is used together with the
template
option.The update introduces a new option
forbidden_inline_options
to restrict the options allowed with the {::options /} extension. By default thetemplate
option is forbidden.For the stable distribution (buster), this problem has been fixed in version 1.17.0-1+deb10u1.
We recommend that you upgrade your ruby-kramdown packages.
For the detailed security status of ruby-kramdown please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-kramdown