ruby-commonmarker - Debian Package Tracker

general

source: ruby-commonmarker (main)
version: 0.23.10-1
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Pirate Praveen [DMD]
arch: any
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.21.0-1
oldstable: 0.23.6-1
stable: 0.23.10-1
testing: 0.23.10-1
unstable: 0.23.10-1

versioned links

0.21.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.23.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.23.10-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ruby-commonmarker

action needed

A new upstream version is available: 2.6.3 high

A new upstream version 2.6.3 is available, you should consider packaging it.

Created: 2025-11-26 Last update: 2026-03-04 13:01

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.6.3-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 6e5de57a07dfe7dab73a8800fc822cb055dd2846
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 17:08:39 2026 -0600

    Import changelog entries

commit 3e91a7b0117995355592045c723adf0ef141097b
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 17:08:16 2026 -0600

    Clean up build dependencies

commit 4ddd445f2f0d886542cef2e4f6712e885313ebd9
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 17:07:49 2026 -0600

    Add remove-rb-allocator.patch to remove unpackaged crate.

commit d516c5249bb7c4a80540d907b0ced8903c834177
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 17:07:23 2026 -0600

    Update fix-versions.patch.

commit 963ebb62d38c1707c43a0bd77973fc635d99b917
Author: Manuel Guerra <ar.manuelguerra@gmail.com>
Date:   Fri Feb 20 03:08:33 2026 +0000

    Fix versions

commit 01474acde852aa11f972c5bb0b6f4da74601e8e8
Author: Manuel Guerra <ar.manuelguerra@gmail.com>
Date:   Fri Feb 20 02:10:30 2026 +0000

    Fix rust workspace error

commit 151d127ee8a77267da6a56409da82139324b774f
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 15:50:20 2026 -0600

    Add Rust-related build dependencies.

commit 2fc398270401ed32353e96950a833a212039c12b
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 15:50:02 2026 -0600

    Add 0002-add-empty-workspace.patch to fix compilation.

commit 25077b8ff83bab59a8f276677b99f7b94e00a96b
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 15:28:43 2026 -0600

    Drop Rules-Requires-Root field, it is now redundant.

commit 79f187ed39bc917d032001f6c3614b58bd73a1c5
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 15:28:35 2026 -0600

    Update Standards-Version to 4.7.3.

commit 2ff329c2bba5a58bca9205805b51b0b0d274143a
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 15:28:10 2026 -0600

    New upstream release.

commit cece38ef970853844b4b9b8595d77285011f84d0
Merge: aa36fd1 f05c4fe
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 15:27:54 2026 -0600

    Update upstream source from tag 'upstream/2.6.3'
    
    Update to upstream version '2.6.3'
    with Debian dir 1d8a22dbcc97a0e3dbeb3e66db4e3200e4598e34

commit f05c4feff60f23dd8a12bdb60d89241d6c322e9e
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 15:27:54 2026 -0600

    New upstream version 2.6.3

commit aa36fd119c61cf71a1569ffd6c46f4d14ccc2ec8
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Mon Feb 23 15:27:45 2026 -0600

    Upgrade the watch file to version 5.

commit 0bd25ad28ff230fff2db95333278d0fe0f6ab5d9
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:16:52 2025 -0600

    Refresh patch

commit 5d6f19c4953e581e155831b73821426971e6710e
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:16:20 2025 -0600

    Update Standards-Version to 4.7.2, no changes needed.

commit 93fd8b02a48bcf1e5dd12b9c54d851d12d9a9400
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:15:59 2025 -0600

    Drop {XS,XB}-Ruby-Versions from control.

commit 347810db6b61c31dd81f282079d74e8c4f6d1ddd
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:15:49 2025 -0600

    New upstream release.

commit c8ef22ac594bec9cb87a593a217538abae018e0b
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:15:22 2025 -0600

    New upstream version 2.5.0

commit b034fc1b331ab77aa17a00b3240e891d0d3cf1ff
Merge: 36f232c c8ef22a
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:15:22 2025 -0600

    Update upstream source from tag 'upstream/2.5.0'
    
    Update to upstream version '2.5.0'
    with Debian dir 856d04716a46d3dd849fec9faff8db5d3e304b0a

commit 36f232cbf837e32d4b5d87c0c435bfcceba6ea35
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Sat Sep 6 05:18:23 2025 +0000

    debian/salsa-ci.yml: use team-specific include

commit 7b24bf488dea251038e9dd2526a1904052425765
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Sat Sep 6 05:18:20 2025 +0000

    debian/.gitattributes: remove

commit ed3e2ad32f340bccfdb3a5205ca9f0b65b379365
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Mon Aug 25 06:29:45 2025 +0000

    debian/gbp.conf: Add for DEP-14

Created: 2025-08-25 Last update: 2026-03-01 13:31

lintian reports 8 warnings normal

Lintian reports 8 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-07-15 Last update: 2025-12-24 11:01

8 low-priority security issues in bookworm low

There are 8 open security issues in bookworm.

1 issue left for the package maintainer to handle:

CVE-2023-22485: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.

You can find information about how to handle this issue in the security team's documentation.

7 ignored issues:

CVE-2022-39209: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-24824: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
CVE-2023-26485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `_` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. ### Impact A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. ### Proof of concept ``` $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing the number 10000 in the above commands causes the running time to increase quadratically. ### Patches This vulnerability have been patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of [cmark](https://github.com/commonmark/cmark) that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both `cmark` and `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting this vulnerability. ### References https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)
CVE-2023-37463: cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.

Created: 2023-06-10 Last update: 2025-10-25 22:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.6.1).

Created: 2022-12-17 Last update: 2025-12-23 20:00

news

[rss feed]

[2023-11-10] ruby-commonmarker 0.23.10-1 MIGRATED to testing (Debian testing watch)
[2023-11-08] Accepted ruby-commonmarker 0.23.10-1 (source) into unstable (Ravish BC) (signed by: Praveen Arimbrathodiyil)
[2023-07-20] ruby-commonmarker 0.23.9-1 MIGRATED to testing (Debian testing watch)
[2023-07-14] Accepted ruby-commonmarker 0.23.9-1 (source) into unstable (Vinay Keshava)
[2023-02-09] Accepted ruby-commonmarker 0.23.6-1~bpo11+1 (source amd64) into bullseye-backports (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2022-11-23] ruby-commonmarker 0.23.6-1 MIGRATED to testing (Debian testing watch)
[2022-11-20] Accepted ruby-commonmarker 0.23.6-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2022-04-05] ruby-commonmarker 0.23.4-1 MIGRATED to testing (Debian testing watch)
[2022-04-01] Accepted ruby-commonmarker 0.23.4-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-12-11] ruby-commonmarker 0.23.2-2 MIGRATED to testing (Debian testing watch)
[2021-12-09] Accepted ruby-commonmarker 0.23.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-11-18] Accepted ruby-commonmarker 0.23.2-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-11-13] ruby-commonmarker 0.21.0-3 MIGRATED to testing (Debian testing watch)
[2021-11-11] Accepted ruby-commonmarker 0.21.0-3 (source) into unstable (Daniel Leidert)
[2021-11-07] ruby-commonmarker 0.21.0-2 MIGRATED to testing (Debian testing watch)
[2021-11-04] Accepted ruby-commonmarker 0.21.0-2 (source) into unstable (Sergio Durigan Junior)
[2020-08-28] ruby-commonmarker 0.21.0-1 MIGRATED to testing (Debian testing watch)
[2020-08-26] Accepted ruby-commonmarker 0.21.0-1 (source) into unstable (Cédric Boutillier)
[2020-07-18] ruby-commonmarker 0.20.2-2 MIGRATED to testing (Debian testing watch)
[2020-07-13] Accepted ruby-commonmarker 0.20.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-01-06] Accepted ruby-commonmarker 0.20.2-1~bpo10+1 (source amd64) into buster-backports, buster-backports (Nilesh) (signed by: Praveen Arimbrathodiyil)
[2019-12-27] ruby-commonmarker 0.20.2-1 MIGRATED to testing (Debian testing watch)
[2019-12-25] Accepted ruby-commonmarker 0.20.2-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2019-12-24] Accepted ruby-commonmarker 0.17.9-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2018-05-18] Accepted ruby-commonmarker 0.17.9-1~bpo9+1 (source amd64) into stretch-backports, stretch-backports (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2018-04-01] ruby-commonmarker 0.17.9-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 8)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.23.10-1build3