Debian Bug report logs -
#892250
ruby-rack-protection: CVE-2018-1000119: Timing attack in authenticity_token.rb
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 7 Mar 2018 06:27:04 UTC
Severity: grave
Tags: patch, security, upstream
Found in version ruby-rack-protection/1.5.2-1
Fixed in versions ruby-rack-protection/1.5.3-2+deb9u1, ruby-rack-protection/1.5.3-2.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#892250; Package src:ruby-rack-protection.
(Wed, 07 Mar 2018 06:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Wed, 07 Mar 2018 06:27:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-rack-protection
Version: 1.5.2-1
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for ruby-rack-protection.
CVE-2018-1000119[0]:
Timing attack in authenticity_token.rb
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000119
[1] https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1534027
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Moritz Muehlenhoff <jmm@debian.org>:
You have taken responsibility.
(Thu, 19 Jul 2018 19:21:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 19 Jul 2018 19:21:10 GMT) (full text, mbox, link).
Message #10 received at 892250-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-rack-protection
Source-Version: 1.5.3-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
ruby-rack-protection, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 892250@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated ruby-rack-protection package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 15 Jul 2018 20:46:41 +0200
Source: ruby-rack-protection
Binary: ruby-rack-protection
Architecture: source all
Version: 1.5.3-2+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description:
ruby-rack-protection - Protects against typical web attacks for Rack apps
Closes: 892250
Changes:
ruby-rack-protection (1.5.3-2+deb9u1) stretch-security; urgency=medium
.
* CVE-2018-1000119 (Closes: #892250)
Checksums-Sha1:
0d3968335d04fcd40dea2b8295bee0bff8483bb6 2189 ruby-rack-protection_1.5.3-2+deb9u1.dsc
d1e9cadc6d44c29635c1d4817a3f2f029b3e1b65 15673 ruby-rack-protection_1.5.3.orig.tar.gz
c95541b16a09856f954b3c22d9db690f3b0b2e94 7400 ruby-rack-protection_1.5.3-2+deb9u1.debian.tar.xz
68b93a7603feefdcc571c39858ec8177e04b001a 10198 ruby-rack-protection_1.5.3-2+deb9u1_all.deb
3fd96af4055fdd6a33674a1f890227200b96cc0a 7244 ruby-rack-protection_1.5.3-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
acdc23c57c093c2c2c2a1e54e16d1ffbea417b44d63df7009120310bd0aebca7 2189 ruby-rack-protection_1.5.3-2+deb9u1.dsc
c5217f34cb6559ccadd6540827ec6ca4d05211afc3271efdcb5ebef3bb90d0df 15673 ruby-rack-protection_1.5.3.orig.tar.gz
0148b12a6066f908508adbdc1d014ac47c5b6327978e24cb801fcef7d3896af1 7400 ruby-rack-protection_1.5.3-2+deb9u1.debian.tar.xz
e1d010d8c2fc36c7fd88eaa0e6d6f4408d72b35f0ff974e0c5b1a28ac7b548ef 10198 ruby-rack-protection_1.5.3-2+deb9u1_all.deb
983ab4f43d1dd85a50faec5bdba1b7c640a619f70cac8c2dd87f4e110dbd6cca 7244 ruby-rack-protection_1.5.3-2+deb9u1_amd64.buildinfo
Files:
ffc126e2a4376fc7f910d47d7a12c8c4 2189 ruby optional ruby-rack-protection_1.5.3-2+deb9u1.dsc
9725f120b6b2dcada7711d9af6e3c8a5 15673 ruby optional ruby-rack-protection_1.5.3.orig.tar.gz
4af1aa3be34844b02133cef904670058 7400 ruby optional ruby-rack-protection_1.5.3-2+deb9u1.debian.tar.xz
aed6fec3026697758aef06ec10c07ee3 10198 ruby optional ruby-rack-protection_1.5.3-2+deb9u1_all.deb
6728d8cc86e4b30d96271c3c302458fd 7244 ruby optional ruby-rack-protection_1.5.3-2+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAltLs/QACgkQEMKTtsN8
Tja7XA//XQYD9hiepftPfnZh4ol7wLL93Qg7KVQ1QzofzyXUEv1Pl0Ecjo+mIXK9
gwiDyxomOSEMD4BHTvlKQRty+ckHv8hwdEUQXDZIxrHGokLmtBl4f8fV8bM/eC2A
mMK7vrKsaafLkMWI/dqutFoWBNuCWnUnv9G3RhMQ4nnQ58hrTkc09zHB3eHCB/+x
fQHfNg1tveRrfC/5UlYRsCVWzqN53wA9c7jVVUYtzHguZAp5s2+Z1yfHgdALRNMI
QEEGu2o/LU5wvWXFthvajYLMyqe7sIzp8+GARVMySvtkwbvBHNsAPu7ijCSkpkKc
AjanJ/Vc77VdzCh4Kd8gjAuFjlPNleZEJpiyZsIQNmw1jYqSTJ25g9KwdmrPRn7s
ew2B+R39AzL9lSAhpBlp6KGF2fcYPz52Y3ot2pDWICxYZ6Oj2OGepIsHAWxwOvxm
NT3+OGsuMC8Pl0VEPSKXIxlo4pz+GL+c5ub2LvOdprytJg0zvYeXc5rQgveSGhCZ
uQS7OS9ae6ZGuIsgJ8wL0GXghmlVnxlNYjxcJAcnN8hf0BFs7mfoiC73KxewRYWI
iCt5WS4Gnc6iBfq4ymn7L4J8njqhANieox01PlNUpRuvR6n8J4Q4MjOEB6Kj0kaE
gAOxskA94xi9+eP51K2FZUpqjsFLpRS+tNYNzY20nL80ILOWiWU=
=GSFd
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#892250; Package src:ruby-rack-protection.
(Fri, 20 Jul 2018 04:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Fri, 20 Jul 2018 04:09:03 GMT) (full text, mbox, link).
Message #15 received at 892250@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 892250 + pending
Dear maintainer,
I've prepared an NMU for ruby-rack-protection (versioned as 1.5.3-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
The update is just a reupload for sid/buster on what Moritz prepared
as DSA.
Regards,
Salvatore
[ruby-rack-protection-1.5.3-2.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 892250-submit@bugs.debian.org.
(Fri, 20 Jul 2018 04:09:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 22 Jul 2018 04:39:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 22 Jul 2018 04:39:04 GMT) (full text, mbox, link).
Message #22 received at 892250-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-rack-protection
Source-Version: 1.5.3-2.1
We believe that the bug you reported is fixed in the latest version of
ruby-rack-protection, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 892250@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ruby-rack-protection package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 20 Jul 2018 05:52:12 +0200
Source: ruby-rack-protection
Binary: ruby-rack-protection
Architecture: source
Version: 1.5.3-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
ruby-rack-protection - Protects against typical web attacks for Rack apps
Closes: 892250
Changes:
ruby-rack-protection (1.5.3-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
.
[ Moritz Muehlenhoff ]
* CVE-2018-1000119 (Closes: #892250)
Checksums-Sha1:
ca1849605251ba4ff16c885e85a74fc0018021da 2324 ruby-rack-protection_1.5.3-2.1.dsc
2cd8be54723e3198cb526022fa383914e8bca9ca 7432 ruby-rack-protection_1.5.3-2.1.debian.tar.xz
708333d2ecb919cbb3a33bd3396675f75f430a95 7110 ruby-rack-protection_1.5.3-2.1_source.buildinfo
Checksums-Sha256:
d6d12d1c9f7f818195b4ccaad5c0999a74fe0d72c8dea5e25c087b80753f9fc5 2324 ruby-rack-protection_1.5.3-2.1.dsc
41fbf0dcca68b9f0004e202cdce3ab80fb5dd66efbfb5b3e4e4cabfef6684ea0 7432 ruby-rack-protection_1.5.3-2.1.debian.tar.xz
654ce710526dffa452d5244580aad78322316ae82878eb1f56732f9a9632fd67 7110 ruby-rack-protection_1.5.3-2.1_source.buildinfo
Files:
b485352adb6d984d6d9c166a9462a5dd 2324 ruby optional ruby-rack-protection_1.5.3-2.1.dsc
7cd47a34f6fd15e3b0a24663c88548a2 7432 ruby optional ruby-rack-protection_1.5.3-2.1.debian.tar.xz
fbc62454bd795e4d4421a0aba7bc754b 7110 ruby optional ruby-rack-protection_1.5.3-2.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltRX8FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EdOwP/0JLJo3h0w/aP03k09nN7vpAPN473CK7
PtmbWnqoIqXAc2iNKf60jZo7zRzit7FztuyQi//dGzVoi9CMsEPMWbh57nc7Buij
yGZR+qF4odqCBGwNfINKWjR7jWYuyzIjeqkqRYnOpQmeU+B0H1rR/84k7pCFAabz
u7sKuajep2Ybp8xwsefqMBWJxlbFScEqw7i8NDNmXwc8Tke80Rtd34tZrskqqpwl
KO7AM6Kf3gor5ovIH5TtDBTNgEvF5KJu1HN08lFKKXoGAOsnwWlPO4s7Pjo6zaCM
SEnqp+s7tRM9b3dhL9FC8intc4joFdvN8W5c67ZVizKrhSXjgtL/gunWxInG0bbu
VkRvnGACGZH0FBUDqQWUF6vIdIOBsYM+7GGX6h9wnGYXNqkPkrNvEbmVnpM+Z8xm
htZYT+sVoYRdxIRKySwM+CMfbho+Dvzt+y3vm/CB+PosHRSmnd7ebgvKxuxP/PIt
3xo84ZwS5pDnRN9fsXrSf2DjKuhPT6Hfnn9A7SPtFy7OeZlZtmBhuETVX6CclPLL
mny6CruNPob4DioxtqjP0wkL9g+XKu0GAbx80LFxNuSBJg8KigPqNgzWDQDOo5cM
yhqC3fvP4ZNNGf19V/H3yPqdw/k8mVNdV0DdGSrNvc4Sy+xtdVSrG+LcLyNNZIk2
KrR6vGio3Pe/
=8wvb
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Nov 2018 07:31:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:16:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon