An update for rubygem-yard is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1256 Final 1.0 1.0 2024-03-08 Initial 2024-03-08 2024-03-08 openEuler SA Tool V1.0 2024-03-08 rubygem-yard security update An update for rubygem-yard is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. YARD is a documentation generation tool for the Ruby programming language. It enables the user to generate consistent, usable documentation that can be exported to a number of formats very easily, and also supports extending for custom Ruby constructs such as custom class level definitions. Security Fix(es): YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.(CVE-2024-27285) An update for rubygem-yard is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium rubygem-yard https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1256 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-27285 https://nvd.nist.gov/vuln/detail/CVE-2024-27285 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 rubygem-yard-0.9.26-2.oe1.noarch.rpm rubygem-yard-doc-0.9.26-2.oe1.noarch.rpm rubygem-yard-doc-0.9.26-2.oe2003sp4.noarch.rpm rubygem-yard-0.9.26-2.oe2003sp4.noarch.rpm rubygem-yard-0.9.26-3.oe2203.noarch.rpm rubygem-yard-doc-0.9.26-3.oe2203.noarch.rpm rubygem-yard-0.9.26-3.oe2203sp1.noarch.rpm rubygem-yard-doc-0.9.26-3.oe2203sp1.noarch.rpm rubygem-yard-0.9.26-3.oe2203sp2.noarch.rpm rubygem-yard-doc-0.9.26-3.oe2203sp2.noarch.rpm rubygem-yard-0.9.26-3.oe2203sp3.noarch.rpm rubygem-yard-doc-0.9.26-3.oe2203sp3.noarch.rpm rubygem-yard-0.9.26-2.oe1.src.rpm rubygem-yard-0.9.26-2.oe2003sp4.src.rpm rubygem-yard-0.9.26-3.oe2203.src.rpm rubygem-yard-0.9.26-3.oe2203sp1.src.rpm rubygem-yard-0.9.26-3.oe2203sp2.src.rpm rubygem-yard-0.9.26-3.oe2203sp3.src.rpm YARD is a Ruby Documentation tool. The frames.html file within the Yard Doc s generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the frames.erb template file. This vulnerability is fixed in 0.9.35. 2024-03-08 CVE-2024-27285 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Medium 5.4 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N rubygem-yard security update 2024-03-08 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1256