#ruby

Debian Linux Security Advisory 5616-1 - It was discovered that ruby-sanitize, a whitelist-based HTML sanitizer, insufficiently sanitized style elements, which may result in cross-site scripting.

## Summary Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to [v2.12.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5). libxml2 v2.12.5 addresses the following vulnerability: - CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.16.2`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements. ## Mitigation Upgrade to Nokogiri `>= 1.16.2`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.12.5` which will also addr...

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

Ubuntu Security Notice 6597-1 - It was discovered that Puma incorrectly handled parsing chunked transfer encoding bodies. A remote attacker could possibly use this issue to cause Puma to consume resources, leading to a denial of service.

Gentoo Linux Security Advisory 202401-27 - Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. Multiple versions are affected.

Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023. "ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity

Red Hat OpenShift security update. Issues addressed include a file disclosure vulnerability.

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12 any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.0.2 release of Avo. Users are advised to upgrade.

Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's (TOTP) inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks. ### Impact If a user's username and password have already been compromised an attacker would be able to try possible TOTP codes and see if they can hit a lucky collision to log in as that user. The user under attack would not necessarily know that their account has been compromised. ### Patches Devise-Two-Factor has not released any fixes for this vulnerability. This library is open-ended by design and cannot solve this for all applications natively. It's recommended that any application leveraging Devise-Two-Factor implement controls at the application level to mitigate this threat. A non-exhaustive list of possible mitigations can be found below. #### Mitigations 1. Use the `lockable` strategy fr...

Gentoo Linux Security Advisory 202401-14 - A denial of service vulnerability has been found in RedCloth. Versions greater than or equal to 4.3.2-r5 are affected.