A flaw was discovered in ruby-kramdown, a fast, pure ruby, Markdown
parser and converter, which could result in unintended read access to
files or unintended embedded Ruby code execution when the {::options /}
extension is used together with the template
option.
The update introduces a new option forbidden_inline_options
to
restrict the options allowed with the {::options /} extension. By
default the template
option is forbidden.
For the stable distribution (buster), this problem has been fixed in version 1.17.0-1+deb10u1.
We recommend that you upgrade your ruby-kramdown packages.
For the detailed security status of ruby-kramdown please refer to its security tracker page at: \ https://security-tracker.debian.org/tracker/ruby-kramdown