CVE-2018-3740

Name	CVE-2018-3740
Description	A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-4358-1
Debian Bugs	893610

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ruby-sanitize (PTS)	jessie	2.1.0-1	vulnerable
	stretch (security), stretch (lts), stretch	2.1.0-2+deb9u1	fixed
	buster	4.6.6-2.1~deb10u1	fixed
	buster (security)	4.6.6-2.1~deb10u2	fixed
	bullseye	5.2.1-2	fixed
	bullseye (security)	5.2.1-2+deb11u1	fixed
	bookworm	6.0.0-1.1	fixed
	bookworm (security)	6.0.0-1.1+deb12u1	fixed
	sid, trixie	6.0.2-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
ruby-sanitize	source	experimental	4.6.5-1
ruby-sanitize	source	stretch	2.1.0-2+deb9u1	DSA-4358-1
ruby-sanitize	source	(unstable)	4.6.6-1		893610

Notes

[jessie] - ruby-sanitize <ignored> (Only occurs with libxml2 >= 2.9.2, jessie has 2.9.1)
https://github.com/rgrove/sanitize/issues/176
https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e (v4.6.3)
Fixes for 2.1.x: https://github.com/rgrove/sanitize/compare/v2.1.0...v2.1.1
Only an issue in combination with libxml2 >= 2.9.2
The 'fragment' method was renamed from 'clean' method in earlier version
in v3.0.0