Version in base suite: 5.2.1-2 Base version: ruby-sanitize_5.2.1-2 Target version: ruby-sanitize_5.2.1-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/ruby-sanitize/ruby-sanitize_5.2.1-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/ruby-sanitize/ruby-sanitize_5.2.1-2+deb11u1.dsc changelog | 6 ++++++ patches/CVE-2023-36823.patch | 30 ++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 37 insertions(+) diff -Nru ruby-sanitize-5.2.1/debian/changelog ruby-sanitize-5.2.1/debian/changelog --- ruby-sanitize-5.2.1/debian/changelog 2020-12-01 14:35:08.000000000 +0000 +++ ruby-sanitize-5.2.1/debian/changelog 2024-02-04 19:01:01.000000000 +0000 @@ -1,3 +1,9 @@ +ruby-sanitize (5.2.1-2+deb11u1) bullseye-security; urgency=medium + + * CVE-2023-36823 (Closes: #1041430) + + -- Moritz Muehlenhoff Sun, 04 Feb 2024 20:01:01 +0100 + ruby-sanitize (5.2.1-2) unstable; urgency=medium * Team upload diff -Nru ruby-sanitize-5.2.1/debian/patches/CVE-2023-36823.patch ruby-sanitize-5.2.1/debian/patches/CVE-2023-36823.patch --- ruby-sanitize-5.2.1/debian/patches/CVE-2023-36823.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby-sanitize-5.2.1/debian/patches/CVE-2023-36823.patch 2024-02-04 19:01:01.000000000 +0000 @@ -0,0 +1,30 @@ +--- ruby-sanitize-5.2.1.orig/lib/sanitize/transformers/clean_css.rb ++++ ruby-sanitize-5.2.1/lib/sanitize/transformers/clean_css.rb +@@ -48,6 +48,7 @@ class CleanElement + if css.strip.empty? + node.unlink + else ++ css.gsub!(' element' do ++ before do ++ @s = Sanitize.new(Sanitize::Config::RELAXED) ++ end ++ ++ it 'is not possible to prematurely end a ], ++ @s.fragment(%[]) ++ ) ++ end ++ end + end diff -Nru ruby-sanitize-5.2.1/debian/patches/series ruby-sanitize-5.2.1/debian/patches/series --- ruby-sanitize-5.2.1/debian/patches/series 2020-11-12 11:21:15.000000000 +0000 +++ ruby-sanitize-5.2.1/debian/patches/series 2024-02-04 19:01:01.000000000 +0000 @@ -1 +1,2 @@ no-relative-path.patch +CVE-2023-36823.patch