ruby-rails-html-sanitizer (1.0.4-1+deb10u2) buster-security; urgency=high

  * Non-maintainer upload by the LTS Security Team. (Closes: #1027153)
  * CVE-2022-23517: Certain configurations use an inefficient regular
    expression that is susceptible to excessive backtracking when
    attempting to sanitize certain SVG attributes. This may lead to a
    denial of service through CPU resource consumption.
    Fix requires ruby-loofah >= 2.2.3-1+deb10u2.
  * CVE-2022-23518: cross-site scripting via data URIs when used in
    combination with Loofah.
    Fix requires ruby-loofah >= 2.2.3-1+deb10u2.
  * CVE-2022-23519: XSS vulnerability with certain configurations of
    Rails::Html::Sanitizer may allow an attacker to inject content if the
    application developer has overridden the sanitizer's allowed tags in
    either of the following ways: allow both "math" and "style" elements,
    or allow both "svg" and "style" elements.
    Same fix as CVE-2022-23520.
  * CVE-2022-23520: XSS vulnerability with certain configurations of
    Rails::Html::Sanitizer due to an incomplete fix of
    CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject
    content if the application developer has overridden the sanitizer's
    allowed tags to allow both "select" and "style" elements. Code is only
    impacted if allowed tags are being overridden.
    Fix requires ruby-loofah >= 2.2.3-1+deb10u2.
  * Drop patch for CVE 2022-32209, replaced by the one for
    CVE-2022-23519/23520.

 -- Sylvain Beucler <beuc@debian.org>  Wed, 13 Sep 2023 11:43:01 +0200

ruby-rails-html-sanitizer (1.0.4-1+deb10u1) buster-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Add patch to prevent a possible XSS vulnerability in certain
    configurations. (Closes: #1013806) (Fixes: CVE-2022-32209)

 -- Utkarsh Gupta <utkarsh@debian.org>  Tue, 06 Dec 2022 19:42:35 +0530

ruby-rails-html-sanitizer (1.0.4-1) unstable; urgency=medium

  * New upstream release.
  * debian/compat: Bump debhelper compatibility level to 11.
  * debian/control:
    - Bump required debhelper version to >= 11~.
    - Bump Standards-Version to 4.1.3 (no changes needed).
    - Use salsa.debian.org in Vcs-* fields.
    - Add myself as Uploader.
    - Require ruby-loofah >= 2.2.2~.
  * debian/copyright:
    - Use HTTPS in link to copyright format specification.
    - Add missing Debian packaging authors.
  * debian/patches: Drop patch to skip failing specs, fixed upstream.
  * debian/watch: Use version 4 and HTTPS in link to gemwatch service.

 -- Georg Faerber <georg@riseup.net>  Fri, 23 Mar 2018 13:42:07 +0100

ruby-rails-html-sanitizer (1.0.3-2) unstable; urgency=medium

  * Team upload.

  [ Cédric Boutillier ]
  * Bump debhelper compatibility level to 9
  * Use https:// in Vcs-* fields
  * Bump Standards-Version to 3.9.7 (no changes needed)

  [ Christian Hofstaedtler ]
  * Drop ruby-rails from Depends, as no lib code actually loads rails;
    makes the dependency cycle a little less bad.

 -- Christian Hofstaedtler <zeha@debian.org>  Sat, 05 Mar 2016 04:24:42 +0100

ruby-rails-html-sanitizer (1.0.3-1) unstable; urgency=high

  * New upstream release. Contains fixes for several XSS vulnerabilities:
    CVE-2015-7578 CVE-2015-7579 CVE-2015-7580 (Closes: #812814)
  * debian/ruby-tests.rake: re-enable test that was disabled
  * 0001-Skip-some-tests-under-Debian.patch: skip tests where the sanitized
    HTML is XSS-free but does not match the exact content expected by the
    upstream test suite. I suspect that is due to Nokogiri not using its own
    patched version of libxml2 in Debian, but can't be sure of that yet.
    Also, the same tests would already fail on 1.0.2 if enabled.

 -- Antonio Terceiro <terceiro@debian.org>  Tue, 26 Jan 2016 19:36:51 -0200

ruby-rails-html-sanitizer (1.0.2-1) unstable; urgency=medium

  * Initial release (Closes: #784326)
  * Disabled a test as it required gems which have Rails > 4.2.0 in its
    dependency chain

 -- Balasankar C <balasankarc@autistici.org>  Tue, 05 May 2015 13:07:22 +0530
