SUSE alert SUSE-SU-2023:3534-1 (rubygem-rails-html-sanitizer)

From:
             
 
sle-security-updates@lists.suse.com
To:
             
 
sle-security-updates@lists.suse.com
Subject:
             
 
SUSE-SU-2023:3534-1: important: Security update for rubygem-rails-html-sanitizer
Date:
             
 
Tue, 05 Sep 2023 16:30:26 -0000
Message-ID:
             
 
<169393142698.13565.18396292784371450974@smelt2.suse.de>


# Security update for rubygem-rails-html-sanitizer

Announcement ID: SUSE-SU-2023:3534-1  
Rating: important  
References:

  * #1206433
  * #1206434
  * #1206435
  * #1206436

  
Cross-References:

  * CVE-2022-23517
  * CVE-2022-23518
  * CVE-2022-23519
  * CVE-2022-23520

  
CVSS scores:

  * CVE-2022-23517 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2022-23517 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2022-23518 ( SUSE ):  7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
  * CVE-2022-23518 ( NVD ):  6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  * CVE-2022-23519 ( SUSE ):  7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  * CVE-2022-23519 ( NVD ):  6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  * CVE-2022-23520 ( SUSE ):  6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  * CVE-2022-23520 ( NVD ):  6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

  
Affected Products:

  * SUSE Linux Enterprise High Performance Computing 12 SP3
  * SUSE Linux Enterprise Server 12 SP3
  * SUSE Linux Enterprise Server 12 SP4
  * SUSE OpenStack Cloud Crowbar 8
  * SUSE OpenStack Cloud Crowbar 9

  
  
An update that solves four vulnerabilities can now be installed.

## Description:

This update for rubygem-rails-html-sanitizer fixes the following issues:

  * CVE-2022-23517: Fixed inefficient regular expression that is susceptible to
    excessive backtracking (bsc#1206433).
  * CVE-2022-23518: Fixed XSS via data URIs when used in combination with Loofah
    (bsc#1206434).
  * CVE-2022-23519: Fixed XSS vulnerability with certain configurations of
    Rails::Html::Sanitizer (bsc#1206435).
  * CVE-2022-23520: Fixed XSS vulnerability with certain configurations of
    Rails::Html::Sanitizer (bsc#1206436).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE OpenStack Cloud Crowbar 8  
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2023-3534=1

  * SUSE OpenStack Cloud Crowbar 9  
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2023-3534=1

## Package List:

  * SUSE OpenStack Cloud Crowbar 8 (x86_64)
    * ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.14.1
  * SUSE OpenStack Cloud Crowbar 9 (x86_64)
    * ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.14.1

## References:

  * https://www.suse.com/security/cve/CVE-2022-23517.html
  * https://www.suse.com/security/cve/CVE-2022-23518.html
  * https://www.suse.com/security/cve/CVE-2022-23519.html
  * https://www.suse.com/security/cve/CVE-2022-23520.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1206433
  * https://bugzilla.suse.com/show_bug.cgi?id=1206434
  * https://bugzilla.suse.com/show_bug.cgi?id=1206435
  * https://bugzilla.suse.com/show_bug.cgi?id=1206436