A flaw was discovered in ruby-kramdown, a fast, pure ruby, Markdown parser and converter, which could result in unintended read access to files or unintended embedded Ruby code execution when the {::options /} extension is used together with the template option.

The update introduces a new option forbidden_inline_options to restrict the options allowed with the {::options /} extension. By default the template option is forbidden.

For the stable distribution (buster), this problem has been fixed in version 1.17.0-1+deb10u1.

We recommend that you upgrade your ruby-kramdown packages.

For the detailed security status of ruby-kramdown please refer to its security tracker page at: \ https://security-tracker.debian.org/tracker/ruby-kramdown