diff --git a/CHANGELOG.md b/CHANGELOG.md index 907c3b8..a4dc608 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ v4.3.0 (April 2022) + - Parse `**` correctly and clean up `UnorderedList` tags in the description field - Update HTML tag cleanup to cover `UnorderedList` tags without spaces and double `Paragraph preformat` tags v4.2.0 (February 2022) diff --git a/lib/nexpose/vulnerability.rb b/lib/nexpose/vulnerability.rb index c89c058..84274b0 100644 --- a/lib/nexpose/vulnerability.rb +++ b/lib/nexpose/vulnerability.rb @@ -116,9 +116,10 @@ def cleanup_html(source) result.gsub!(/(.*?)<\/Paragraph>/mi){|m| "\nbc. #{ $1 }\n\n"} result.gsub!(/(.*?)<\/Paragraph>/m){|m| "#{ $1 }\n"} result.gsub!(/|<\/Paragraph>/, '') - result.gsub!(/(.*?)<\/UnorderedList>/m){|m| "#{ $2 }"} + result.gsub!(/|<\/UnorderedList>/, '') result.gsub!(/(.*?)<\/OrderedList>/m){|m| "#{ $2 }"} result.gsub!(/|<\/ListItem>/, '') + result.gsub!(/^\s*\*\*/, 'p. **') result.gsub!(/ /, '') result.gsub!(/ /, '') result.gsub!(/\t\t/, '') diff --git a/spec/fixtures/files/double_asterisks.xml b/spec/fixtures/files/double_asterisks.xml new file mode 100644 index 0000000..0b6efd9 --- /dev/null +++ b/spec/fixtures/files/double_asterisks.xml @@ -0,0 +1,115 @@ + + + + + + + + + localhost:5000 + + + + + + + + + + + + + + system="cisco", leap=0, stratum=5, rootdelay=88.21, + +rootdispersion=108.54, peer=24960, refid=135.89.100.96, + +reftime=0xD80BB6B5.715ACDD8, poll=10, clock=0xD80BB78F.8931F3F6, + +phase=8.259, freq=-141.24, error=11.32 + + + + + The following NTP variables were found from a readvar request: system="cisco", leap=0, stratum=5, rootdelay=88.21, +rootdispersion=108.54, peer=24960, refid=135.89.100.96, +reftime=0xD80BB6B5.715ACDD8, poll=10, clock=0xD80BB78F.8931F3F6, +phase=8.259, freq=-141.24, error=11.32 + + + + + + + + + + + + + + + + + + + + + + + ** DISPUTED ** Apache HTTP server in certain configurations allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child proccess IDs (PID). + + + + 6939 + 6943 + CVE-2003-1418 + 11438 + + + Apache + Apache HTTP Server + Web + + + + + + + You can remove inode information from the ETag header by adding the + following directive to your Apache config: + FileETag MTime Size + + + + OpenBSD + Download and apply the patch from: + + + + + + + + + The OpenBSD team has released a + + + + + + + patch + for the Apache inode and pid leak problem. This patch can be applied + cleanly to 3.2 stable and rebuilt. Restart httpd for the changes to + take effect. OpenBSD 3.3 will ship with the patched httpd by default. + The patch can be applied to earlier 3.x versions of OpenBSD, but it + may require editing of the source code. + + + + + + + + diff --git a/spec/nexpose_upload_spec.rb b/spec/nexpose_upload_spec.rb index 3dcfcc9..5646fb2 100644 --- a/spec/nexpose_upload_spec.rb +++ b/spec/nexpose_upload_spec.rb @@ -166,5 +166,14 @@ @importer.import(file: 'spec/fixtures/files/full.xml') end + + it 'appends textile paragraph (p. ) to text starting with double asterisks' do + expect(@content_service).to receive(:create_issue) do |args| + expect(args[:text]).to include("p. ** DISPUTED **") + OpenStruct.new(args) + end + + @importer.import(file: 'spec/fixtures/files/double_asterisks.xml') + end end end