Security update for rubygem-loofah SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:0394-1 Final 1 1 2019-02-14T13:47:10Z current 2019-02-14T13:47:10Z 2019-02-14T13:47:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-loofah This update for rubygem-loofah fixes the following issues: Security issues fixed: - CVE-2018-16468: Fixed XXS by removing the svg animate attribute `from` from the allowlist (bsc#1113969). - CVE-2018-8048: Fixed XSS vulnerability due to unescaped characters by libcxml2 (bsc#1085967). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-394,SUSE-OpenStack-Cloud-7-2019-394,SUSE-OpenStack-Cloud-Crowbar-8-2019-394,SUSE-Storage-4-2019-394 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20190394-1/ Link for SUSE-SU-2019:0394-1 https://lists.suse.com/pipermail/sle-security-updates/2019-February/005122.html E-Mail link for SUSE-SU-2019:0394-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1085967 SUSE Bug 1085967 https://bugzilla.suse.com/1113969 SUSE Bug 1113969 https://www.suse.com/security/cve/CVE-2018-16468/ SUSE CVE CVE-2018-16468 page https://www.suse.com/security/cve/CVE-2018-8048/ SUSE CVE CVE-2018-8048 page SUSE Enterprise Storage 4 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud Crowbar 8 ruby2.1-rubygem-loofah-2.0.2-3.5.1 ruby2.1-rubygem-loofah-doc-2.0.2-3.5.1 ruby2.1-rubygem-loofah-testsuite-2.0.2-3.5.1 ruby2.1-rubygem-loofah-2.0.2-3.5.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-loofah-2.0.2-3.5.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-loofah-2.0.2-3.5.1 as a component of SUSE OpenStack Cloud Crowbar 8 In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. CVE-2018-16468 SUSE Enterprise Storage 4:ruby2.1-rubygem-loofah-2.0.2-3.5.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-loofah-2.0.2-3.5.1 SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-loofah-2.0.2-3.5.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190394-1/ https://www.suse.com/security/cve/CVE-2018-16468.html CVE-2018-16468 https://bugzilla.suse.com/1113969 SUSE Bug 1113969 In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment. CVE-2018-8048 SUSE Enterprise Storage 4:ruby2.1-rubygem-loofah-2.0.2-3.5.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-loofah-2.0.2-3.5.1 SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-loofah-2.0.2-3.5.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190394-1/ https://www.suse.com/security/cve/CVE-2018-8048.html CVE-2018-8048 https://bugzilla.suse.com/1085967 SUSE Bug 1085967 https://bugzilla.suse.com/1086598 SUSE Bug 1086598