Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2018-1000539

Related Vulnerabilities: CVE-2018-1000539  

Source

Debian Bug report logs - #902721
CVE-2018-1000539

version graph

Package: ruby-json-jwt; Maintainer for ruby-json-jwt is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for ruby-json-jwt is src:ruby-json-jwt (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Fri, 29 Jun 2018 21:06:07 UTC

Severity: grave

Tags: fixed-upstream, security

Found in version ruby-json-jwt/1.7.2-1

Fixed in versions ruby-json-jwt/1.9.4-1, ruby-json-jwt/1.6.2-1+deb9u1

Done: Pirate Praveen <praveen@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/nov/json-jwt/pull/62

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#902721; Package ruby-json-jwt. (Fri, 29 Jun 2018 21:06:09 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Fri, 29 Jun 2018 21:06:09 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2018-1000539
Date: Fri, 29 Jun 2018 23:04:26 +0200
Package: ruby-json-jwt
Severity: grave
Tags: security

This was assigned CVE-2018-1000539:
https://github.com/nov/json-jwt/pull/62
https://github.com/nov/json-jwt/commit/3393f394f271c87bd42ec23c300727b4437d1638

Cheers,
        Moritz

Set Bug forwarded-to-address to 'https://github.com/nov/json-jwt/pull/62'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 02 Jul 2018 18:15:05 GMT) (full text, mbox, link).

Marked as found in versions ruby-json-jwt/1.7.2-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 02 Jul 2018 18:15:07 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Fri, 06 Jul 2018 01:00:29 GMT) (full text, mbox, link).

Added blocking bug(s) of 902721: 906289 Request was from Pirate Praveen <praveen@debian.org> to submit@bugs.debian.org. (Thu, 16 Aug 2018 16:45:14 GMT) (full text, mbox, link).

Reply sent to Pirate Praveen <praveen@debian.org>:
You have taken responsibility. (Fri, 17 Aug 2018 11:09:04 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Fri, 17 Aug 2018 11:09:04 GMT) (full text, mbox, link).

Message #18 received at 902721-close@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>
To: 902721-close@bugs.debian.org
Subject: Bug#902721: fixed in ruby-json-jwt 1.9.4-1
Date: Fri, 17 Aug 2018 11:05:46 +0000
Source: ruby-json-jwt
Source-Version: 1.9.4-1

We believe that the bug you reported is fixed in the latest version of
ruby-json-jwt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 902721@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated ruby-json-jwt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 15 Aug 2018 21:51:27 +0530
Source: ruby-json-jwt
Binary: ruby-json-jwt
Architecture: source
Version: 1.9.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
 ruby-json-jwt - JSON Web Token and its family in Ruby
Closes: 902721
Changes:
 ruby-json-jwt (1.9.4-1) unstable; urgency=medium
 .
   * New upstream version 1.9.4 (Closes: #902721) (Fixes: CVE-2018-1000539)
   * Move debian/watch to gemwatch.debian.net
   * Bump Standards-Version to 4.2.0 (no changes needed)
   * Bump debhelper compatibility level to 11
   * Use salsa.debian.org in Vcs-* fields
Checksums-Sha1:
 cfcc706cbfca43e947f2c6ce9273cdc3952da7ed 2116 ruby-json-jwt_1.9.4-1.dsc
 4d9a7a9ca2f2389bcf96bb0e0f8930bea5257312 23369 ruby-json-jwt_1.9.4.orig.tar.gz
 de036bb5fd6e3235ffd2de0bc18e89404fccaa94 2244 ruby-json-jwt_1.9.4-1.debian.tar.xz
 cf998633aa9e6147ed8636910cdb7a8103003026 6796 ruby-json-jwt_1.9.4-1_source.buildinfo
Checksums-Sha256:
 27a9119b79bd0462b9f603fcfbc8d6584c412ab962e12b464bbc1eed3b85b79c 2116 ruby-json-jwt_1.9.4-1.dsc
 c36a6f3bab4e686fe051a2f1f40c1bbeb61bd3292cf8397c7ed9451410cfa3aa 23369 ruby-json-jwt_1.9.4.orig.tar.gz
 daa47a4d12acad12ab831d0d3795b9b28af24eb18923698e6dced56954bf6bfe 2244 ruby-json-jwt_1.9.4-1.debian.tar.xz
 f8bddf76fccde9559c5aaf152569f7c40bc107f7d2a84e978ca588b3b634ff4d 6796 ruby-json-jwt_1.9.4-1_source.buildinfo
Files:
 20fa536ef739588487b669a20fd1dc35 2116 ruby optional ruby-json-jwt_1.9.4-1.dsc
 469a09dbc4a21b57b25a71d36c3a1bce 23369 ruby optional ruby-json-jwt_1.9.4.orig.tar.gz
 f8304fb1d580992a25e2fb74e97caf0f 2244 ruby optional ruby-json-jwt_1.9.4-1.debian.tar.xz
 7a2ab9bef1d7856d6e94f5cde2c8d095 6796 ruby optional ruby-json-jwt_1.9.4-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlt2qI8ACgkQzh+cZ0US
wip54g/+MEFJmC4VNUmoN3/rXIzwCardMZ206ZhtB8VcNbAruj6M3TqKZepstLoM
neYDY8eNDaSEUNMC2xsR86NGc6j6i0f1PjPsaB6s+hlskTdQ8F5GCiQO/OfZIugF
l3cOs3yFJ1JlbnagNEeZ0q09RTH0mkgsjoh4yEsT70u3yxgG0//amIvkMuXIzZZH
OVmg8b13OG4FxsXjp3oy0bGk0U6utWwPIicNnXPrHvZZM8+cw67xZHSyiKymmmQG
ydhrwsLCXBVXt5ANQpGeDykP50rJGOSkWGK0HN0JdeORd+pZlwc8iC+LRTXlXm5b
ATKRMRpLI/+cZnioK+xW2o3pXS2hfH/EPs/5fx/kbYKRWUiAqPGra9frw5jCBS24
cbgepIY+QoWd0s344Zj+1NZX5psg2TAqs57ALpCwHAgk//vv9eUgiwhVZ0o52CWw
5AvOgErfwHg5GUY39l/u/egTHf3s11j1TWU7dGrpOFNbI3z1kVucH4r9Y89qU/0l
gaG/dRv5AeOCIzI1vjxRHwQhAz7FZQdGMC8u7PZ0ryEQw/QtkQknt2h4qMIdO7Wk
5a8a8de/hoHB4jMh/0MLKkn9sZ3Kz04zslbO019Nz6kujPfP3vnKSZ+a29Ex8CbU
z9mk6DDOTKCmjfKrw6tvrzYNvYnHQDCXgOAToudd6oROGqq4qtg=
=VAaF
-----END PGP SIGNATURE-----

Reply sent to Pirate Praveen <praveen@debian.org>:
You have taken responsibility. (Sat, 01 Sep 2018 12:51:15 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sat, 01 Sep 2018 12:51:15 GMT) (full text, mbox, link).

Message #23 received at 902721-close@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>
To: 902721-close@bugs.debian.org
Subject: Bug#902721: fixed in ruby-json-jwt 1.6.2-1+deb9u1
Date: Sat, 01 Sep 2018 12:47:08 +0000
Source: ruby-json-jwt
Source-Version: 1.6.2-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
ruby-json-jwt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 902721@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated ruby-json-jwt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 18 Aug 2018 23:32:06 +0530
Source: ruby-json-jwt
Binary: ruby-json-jwt
Architecture: source all
Version: 1.6.2-1+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
 ruby-json-jwt - JSON Web Token and its family in Ruby
Closes: 902721
Changes:
 ruby-json-jwt (1.6.2-1+deb9u1) stretch-security; urgency=medium
 .
   * Fixes: CVE-2018-1000539 (Closes: #902721)
Checksums-Sha1:
 414b750ecdbb9f18bca32aff6ce6a40e807b9ed4 2221 ruby-json-jwt_1.6.2-1+deb9u1.dsc
 da6c80c938ee3bff65d86928eceb78e68f0ccbc3 21870 ruby-json-jwt_1.6.2.orig.tar.gz
 42b81bba0d98b5e291d6b3344c5d678b680f5ac3 3180 ruby-json-jwt_1.6.2-1+deb9u1.debian.tar.xz
 344447a7913df92d0c377d9e1821e4d1e6ad0c1e 9160 ruby-json-jwt_1.6.2-1+deb9u1_all.deb
 9310a7786c747006b79f7ad8268de0de360511d6 7600 ruby-json-jwt_1.6.2-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
 b0efdf4b17e4359dab6b172ddfec93483fcad31e46027b41fb4d52c39991e441 2221 ruby-json-jwt_1.6.2-1+deb9u1.dsc
 bc10d11254d60aa84c539d2a69ffcd2611535dc42120a0e6a242f63d4bcc7d7c 21870 ruby-json-jwt_1.6.2.orig.tar.gz
 ddfed631888079c0887b9fa43f1f24512594004ab65fe442b19f19ae5c956d25 3180 ruby-json-jwt_1.6.2-1+deb9u1.debian.tar.xz
 02a4fcb7e56562f40c2b4808e4bfd3e27b765cb78a844dd4a97377d3751a95c2 9160 ruby-json-jwt_1.6.2-1+deb9u1_all.deb
 d57f5fe221e41bb29f0a0a096e7dad1c83397c9734c60d6be0f67c028598316d 7600 ruby-json-jwt_1.6.2-1+deb9u1_amd64.buildinfo
Files:
 003bf9b15f417749d56a10b19ea146b3 2221 ruby optional ruby-json-jwt_1.6.2-1+deb9u1.dsc
 aecdd332419f64d9aca527ddbf946a93 21870 ruby optional ruby-json-jwt_1.6.2.orig.tar.gz
 2879d7b377e3aac09cca241f346a45c2 3180 ruby optional ruby-json-jwt_1.6.2-1+deb9u1.debian.tar.xz
 431b4c72b1490d70a95ae110fc81a6a8 9160 ruby optional ruby-json-jwt_1.6.2-1+deb9u1_all.deb
 38d3b4cb30a31df599605d65dfb58f1b 7600 ruby optional ruby-json-jwt_1.6.2-1+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlt4ZvsACgkQzh+cZ0US
wirUzg/8CE6Z/V/WluVi0Yiu46gDELGjlTdS56Y1AMOwgbwG8q0fzGghP2cmHe7/
1xjTAWQ6TK8AhnCuYm3rJQ81x/3vWFHwPioSWhGQXSjbvTBjV3z06gWYQ+ipl0tT
oiffo1NRpbAg57IPAxxDci3P1rwqAKX3O+wzjNIDIySOkj04ICTUM0GplgQlj907
yCEtC0QYsS7x0Bkf47nobq+JdGgnts1XPNgp+oteGN7ITui9dDIf1kAbFyDEMgoO
FAVdUyQwqzVF671qxdegc2zqwcj1ZdmTlRj2pe7ZHtD4ID6Ypw2qiQFmJHKMXLaX
imtLgDvtr+aZrEC75QlYA4LgskKcjtCwpcvTHD+kPMdXfI8fcKfvhbqWRdN3tb6v
3hKQTVOvUFsawnN1lfm4crv+M7VSjmiogo/k0yZiNxbUj9fGqVyE63qWNoqspTHI
k23Vf0P5W14Kn9VpKoI9TFOzcQjKxaKVuhtoj3A61kyurf1D9W9RyDDLl6CSTKbu
M4XbQLo3AUbgN/hjRBNweSqp0rlqtJf1UqEO3vX2Tz0xq6WyZTw3S2GiZwlzEYGN
LBHTiYHBkmHwwhG1QtlivDJ4c5Wb7aE1QKT+ZV75FURwtCDSW22jtVYci3RUCZOO
zbsIzpzjlfYiGL7ucKJAlgMTINENi+eVmYtRFfFxChZrqgS9dc8=
=z3QF
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Sep 2018 07:25:57 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:50:29 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started