Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in marked
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in marked
ID: FEDORA-2020-d714c08261
Distribution: Fedora
Plattformen: Fedora 32
Datum: So, 31. Mai 2020, 09:06
Referenzen: https://bugzilla.redhat.com/show_bug.cgi?id=1529729
https://bugzilla.redhat.com/show_bug.cgi?id=1529730
https://bugzilla.redhat.com/show_bug.cgi?id=1550779
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8854
https://bugzilla.redhat.com/show_bug.cgi?id=1550778
https://bugzilla.redhat.com/show_bug.cgi?id=1529737
https://bugzilla.redhat.com/show_bug.cgi?id=1185162
https://bugzilla.redhat.com/show_bug.cgi?id=1702320
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000013
https://bugzilla.redhat.com/show_bug.cgi?id=1186221
https://bugzilla.redhat.com/show_bug.cgi?id=1529738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000427
Applikationen: Marked

Originalnachricht

-------------------------------------------------------------------------------
-
Fedora Update Notification
FEDORA-2020-d714c08261
2020-05-31 03:28:10.749569
-------------------------------------------------------------------------------
-

Name : marked
Product : Fedora 32
Version : 1.1.0
Release : 3.fc32
URL : https://github.com/markedjs/marked
Summary : A markdown parser for Node.js built for speed
Description :
Install this for command line tool and man page.

marked is a full-featured markdown compiler that can parse huge chunks of
markdown without having to worry about caching the compiled output or
blocking for an unnecessarily long time.

marked is extremely fast and frequently outperforms similar markdown parsers.
marked is very concise and still implements all markdown features, as well
as GitHub Flavored Markdown features.

marked more or less passes the official markdown test suite in its entirety.
This is important because a surprising number of markdown compilers cannot
pass more than a few tests.

-------------------------------------------------------------------------------
-
Update Information:

New upstream release with bug and security fixes. Also, consolidates duplicate
pakages marked and nodejs-marked. I tested upgrades from both, but may have
missed some wonky situation.
-------------------------------------------------------------------------------
-
ChangeLog:

* Fri May 22 2020 Stuart Gathman <stuart@gathman.org> - 1.1.0-3
- Move web assets to js-marked
* Fri May 22 2020 Stuart Gathman <stuart@gathman.org> - 1.1.0-2
- Move module files to nodejs-marked
- Fix shebang no longer autofixed in /usr/lib/node_modules
* Fri May 22 2020 Stuart Gathman <stuart@gathman.org> - 1.1.0-1
- New upstream release
- CVE-2015-8854 ReDos fixed in 0.3.9
- bz#1529736 bz#1529738 - XSS w/ mangling disabled fixed in 0.3.9
- bz#1702320 ReDos vuln - CVE removed, problem not in marked
- CVE-2016-1000013 fixed in 0.7.0
- CVE-2017-17461 ReDos in dependency (still open)
- CVE-2017-1000427 XSS via data URI fixed in 0.3.7
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1185162 - NodeJS marked: VBScript Content Injection [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1185162
[ 2 ] Bug #1186221 - marked-1.1.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1186221
[ 3 ] Bug #1328407 - CVE-2016-1000013 marked: sanitization bypass using HTML
[epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1328407
[ 4 ] Bug #1328408 - CVE-2016-1000013 marked: sanitization bypass using HTML
[epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1328408
[ 5 ] Bug #1329535 - CVE-2015-8854 marked: regular expression denial of
service [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1329535
[ 6 ] Bug #1329537 - CVE-2015-8854 marked: regular expression denial of
service [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1329537
[ 7 ] Bug #1417926 - CVE-2017-1000427 marked: Cross-site scripting via Data
URIs [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1417926
[ 8 ] Bug #1417927 - CVE-2017-1000427 marked: Cross-site scripting via Data
URIs [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1417927
[ 9 ] Bug #1417928 - CVE-2017-1000427 marked: Cross-site scripting via Data
URIs [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1417928
[ 10 ] Bug #1529729 - marked: Cross-site Scripting (XSS) attacks via
hexadecimal form of HTML [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1529729
[ 11 ] Bug #1529730 - marked: Cross-site Scripting (XSS) attacks via
hexadecimal form of HTML [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1529730
[ 12 ] Bug #1529737 - marked: Cross-site Scripting (XSS) via autolink with
mangling disabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1529737
[ 13 ] Bug #1529738 - marked: Cross-site Scripting (XSS) via autolink with
mangling disabled [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1529738
[ 14 ] Bug #1550778 - marked: Regular expression denial of service in
marked.js [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1550778
[ 15 ] Bug #1550779 - marked: Regular expression denial of service in
marked.js [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1550779
[ 16 ] Bug #1702320 - marked: Regular expression denial of service in
inline.text regex [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1702320
-------------------------------------------------------------------------------
-

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-d714c08261' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung