Bug 2267274
| Summary: | TRIAGE CVE-2024-27285 rubygem-semantic_puppet: yard: Cross-site scripting in the frams.erb template file [epel-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Pedro Sampaio <psampaio> |
| Component: | rubygem-semantic_puppet | Assignee: | Breno <brandfbb> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | epel8 | CC: | brandfbb, ekohlvan, igor.raits |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-03-05 15:50:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2267244 | ||
|
Description
Pedro Sampaio
2024-03-01 14:23:28 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=medium # testing, stable request=testing # Bug numbers: 1234,9876 bugs=2267244,2267274 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new As mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2267244#c5 I think this is a false positive. The whole word "unescape" doesn't show up in the generated docs and I can't find the frames file. # rpm -qv rubygem-semantic_puppet rubygem-semantic_puppet-1.0.2-1.el8.noarch # grep unescape $(rpm -ql rubygem-semantic_puppet rubygem-semantic_puppet-doc) grep: /usr/share/gems/gems/semantic_puppet-1.0.2: Is a directory grep: /usr/share/gems/gems/semantic_puppet-1.0.2/lib: Is a directory grep: /usr/share/gems/gems/semantic_puppet-1.0.2/lib/semantic_puppet: Is a directory grep: /usr/share/gems/gems/semantic_puppet-1.0.2/lib/semantic_puppet/dependency: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/rdoc: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/rdoc/SemanticPuppet: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/rdoc/SemanticPuppet/Dependency: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/rdoc/SemanticPuppet/Version: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/rdoc/SemanticPuppet/VersionRange: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/rdoc/css: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/rdoc/fonts: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/rdoc/images: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/rdoc/js: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/Dependency: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/Dependency/Graph: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/Dependency/GraphNode: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/Dependency/ModuleRelease: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/Dependency/Source: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/Dependency/UnsatisfiableGraph: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/Version: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/Version/ValidationFailure: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/VersionRange: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/VersionRange/AbstractRange: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/VersionRange/AllRange: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/VersionRange/ComparatorRange: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/VersionRange/EqRange: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/VersionRange/GtEqRange: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/VersionRange/GtRange: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/VersionRange/LtEqRange: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/VersionRange/LtRange: Is a directory grep: /usr/share/gems/doc/semantic_puppet-1.0.2/ri/SemanticPuppet/VersionRange/MinMaxRange: Is a directory grep: /usr/share/gems/gems/semantic_puppet-1.0.2/spec: Is a directory grep: /usr/share/gems/gems/semantic_puppet-1.0.2/spec/unit: Is a directory grep: /usr/share/gems/gems/semantic_puppet-1.0.2/spec/unit/semantic_puppet: Is a directory grep: /usr/share/gems/gems/semantic_puppet-1.0.2/spec/unit/semantic_puppet/dependency: Is a directory |