Debian Bug report logs -
#714541
ruby1.8: CVE-2013-4073: Hostname check bypassing vulnerability in SSL client
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 30 Jun 2013 16:12:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions ruby1.8/1.8.7.358-7, ruby1.8/1.8.7.302-2
Fixed in version ruby1.8/1.8.7.358-7.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, akira yamada <akira@debian.org>:
Bug#714541; Package ruby1.8.
(Sun, 30 Jun 2013 16:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, akira yamada <akira@debian.org>.
(Sun, 30 Jun 2013 16:12:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ruby1.8
Severity: normal
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for ruby1.8.
CVE-2013-4073[0]:
Hostname check bypassing vulnerability in SSL client
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073
http://security-tracker.debian.org/tracker/CVE-2013-4073
[1] http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
[2] https://github.com/ruby/ruby/commit/961bf7496ded3acfe847cf56fa90bbdcfd6e614f
(note the patch[2] contains a typo and need the follow up patch too).
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Severity set to 'grave' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 30 Jun 2013 16:15:09 GMT) (full text, mbox, link).
Marked as found in versions ruby1.8/1.8.7.302-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 06 Jul 2013 12:18:04 GMT) (full text, mbox, link).
Marked as found in versions ruby1.8/1.8.7.358-7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 06 Jul 2013 12:18:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#714541; Package ruby1.8.
(Sat, 06 Jul 2013 15:48:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>.
(Sat, 06 Jul 2013 15:48:07 GMT) (full text, mbox, link).
Message #16 received at 714541@bugs.debian.org (full text, mbox, reply):
Hi
Additional update: There seems to be a regression[1], so needs a
follow up patch[2].
[1] https://bugs.ruby-lang.org/issues/8575
[2] https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/41805
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#714541; Package ruby1.8.
(Sun, 07 Jul 2013 12:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>.
(Sun, 07 Jul 2013 12:45:04 GMT) (full text, mbox, link).
Message #21 received at 714541@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Ruby maintainers
Attached is also the proposed debdiff for ruby1.8 and CVE-2013-4073,
similar to #714543 (for ruby1.9.1).
Regards,
Salvatore
[ruby1.8_1.8.7.358-7.1.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#714541; Package ruby1.8.
(Mon, 08 Jul 2013 16:39:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>.
(Mon, 08 Jul 2013 16:39:08 GMT) (full text, mbox, link).
Message #26 received at 714541@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 714541 + pending
thanks
Dear Ruby maintainers!
I've prepared an NMU for ruby1.8 (versioned as 1.8.7.358-7.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[ruby1.8-1.8.7.358-7.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 08 Jul 2013 16:39:11 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 10 Jul 2013 17:06:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 10 Jul 2013 17:06:14 GMT) (full text, mbox, link).
Message #33 received at 714541-close@bugs.debian.org (full text, mbox, reply):
Source: ruby1.8
Source-Version: 1.8.7.358-7.1
We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 714541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ruby1.8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Jul 2013 14:10:32 +0200
Source: ruby1.8
Binary: ruby1.8 libruby1.8 libruby1.8-dbg ruby1.8-dev libtcltk-ruby1.8 ruby1.8-examples ri1.8 ruby1.8-full
Architecture: source all amd64
Version: 1.8.7.358-7.1
Distribution: unstable
Urgency: high
Maintainer: akira yamada <akira@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libruby1.8 - Libraries necessary to run Ruby 1.8
libruby1.8-dbg - Debugging symbols for Ruby 1.8
libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8
ri1.8 - Ruby Interactive reference (for Ruby 1.8)
ruby1.8 - Interpreter of object-oriented scripting language Ruby 1.8
ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8
ruby1.8-examples - Examples for Ruby 1.8
ruby1.8-full - Ruby 1.8 full installation
Closes: 714541
Changes:
ruby1.8 (1.8.7.358-7.1) unstable; urgency=high
.
* Non-maintainer upload.
* Add CVE-2013-4073.patch patch.
CVE-2013-4073: Fix hostname check bypassing vulnerability in SSL client.
(Closes: #714541)
Checksums-Sha1:
78cad0e85896bac3c01087f435de4d492093966e 2536 ruby1.8_1.8.7.358-7.1.dsc
6222e9b40a414a77349bd4ab301c65fde24d5770 59975 ruby1.8_1.8.7.358-7.1.debian.tar.gz
869eff8e2a0a39d579df6ab6c0c2a55d7fef878f 344664 ruby1.8-examples_1.8.7.358-7.1_all.deb
585ded63fdfe0b7b69c5b585ff8b4ab0e02b1054 1434598 ri1.8_1.8.7.358-7.1_all.deb
80b9238fe98c8c7a6b3113cdd27a0505ce81e195 283886 ruby1.8-full_1.8.7.358-7.1_all.deb
db955f7b07cb859f5be879fca49813c710430810 320022 ruby1.8_1.8.7.358-7.1_amd64.deb
a26ec7d3da3fc398dba2125a24b631c733533167 2078510 libruby1.8_1.8.7.358-7.1_amd64.deb
261481aa9b19e4c1ad0ea9ceb621f717232f8e11 1740644 libruby1.8-dbg_1.8.7.358-7.1_amd64.deb
b93868d1b938473cb1094f2e3124abc01acf7be2 910826 ruby1.8-dev_1.8.7.358-7.1_amd64.deb
114be84c0c2b46d99ef71261643ef8ca57399188 2037396 libtcltk-ruby1.8_1.8.7.358-7.1_amd64.deb
Checksums-Sha256:
394fb976de86136b90c5e78d0a104221b98f2cd782dfd2ab9ac066241fb70e50 2536 ruby1.8_1.8.7.358-7.1.dsc
8174505b449447149cc1917185f39472cc80156968a777b639353febf48727bb 59975 ruby1.8_1.8.7.358-7.1.debian.tar.gz
e65cda729af36a31267b586e43a5da234e858ffe0cdb28da3e291217f41b6dcc 344664 ruby1.8-examples_1.8.7.358-7.1_all.deb
c096f5cc14f5d67649932c2abd61202fe39db3041a2921fac7b7bb4af645c032 1434598 ri1.8_1.8.7.358-7.1_all.deb
b007b7310f7dcdd3360fb787972d02235eb50fdb6b11e11ce291d6a2f723ac48 283886 ruby1.8-full_1.8.7.358-7.1_all.deb
f820b4449b40aae83c91e960094c5650cd46cd5a360f7a192f295e8e1a2684d8 320022 ruby1.8_1.8.7.358-7.1_amd64.deb
ec2fee345073e50edadc5733c233ab77e55ee2e3b8ea307c45fe2a118d3c91a2 2078510 libruby1.8_1.8.7.358-7.1_amd64.deb
24882fd08837117d86b8563e6421548e53a1a3941c32440e025c6d68449d8d01 1740644 libruby1.8-dbg_1.8.7.358-7.1_amd64.deb
fae6bff49adfee2c668525889275082f31dd38a0062be336de3bb0a0dda962a0 910826 ruby1.8-dev_1.8.7.358-7.1_amd64.deb
4d2509f8e6493078bba015b5b7774e510b08929fef6951623361d2f852e30e35 2037396 libtcltk-ruby1.8_1.8.7.358-7.1_amd64.deb
Files:
d0dfa4af9a87cb4b67208963388244ac 2536 ruby optional ruby1.8_1.8.7.358-7.1.dsc
8deb889960f4f9009b126f0d922351e6 59975 ruby optional ruby1.8_1.8.7.358-7.1.debian.tar.gz
03d9cd86af0feabd214dbd15cc511d1b 344664 ruby optional ruby1.8-examples_1.8.7.358-7.1_all.deb
7ec5c580111e8ad95b8a0ab502d7aab2 1434598 ruby optional ri1.8_1.8.7.358-7.1_all.deb
48a539688c8e74d3d0c38d164d5a730d 283886 ruby optional ruby1.8-full_1.8.7.358-7.1_all.deb
a0f85e340374a4052465c136fc72ecfe 320022 ruby optional ruby1.8_1.8.7.358-7.1_amd64.deb
8f79e63663589b69df9b3602f780c57c 2078510 libs optional libruby1.8_1.8.7.358-7.1_amd64.deb
0cf506db2069e5d79f1faaaff7119c6c 1740644 debug extra libruby1.8-dbg_1.8.7.358-7.1_amd64.deb
3493b6f54de380e5c60556c66192c2d8 910826 ruby optional ruby1.8-dev_1.8.7.358-7.1_amd64.deb
61f3ffafd5845056d3d0b679267a44cb 2037396 ruby optional libtcltk-ruby1.8_1.8.7.358-7.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJR2tBKAAoJEHidbwV/2GP+9J0P/i5WP+f7fIF02Pw/9jzEUTWC
2w3q5qrZUysOWAM9Lp120XNpzN8QRbASjR/Ie48VdD1rtBgm5p+87GzXjzKu8P8x
aKFeJhBGVWgucUzU1ysfDj4xAMwKhxphNyn61g89uG0sbYvRILw74HeBI8ZWLFR7
a2+5TfWEGBh8Be2f5FVEAkWZGQpqVTpkmUaxxAiJqndN7bQoMXIHB7dtv4EC6MMl
WRqjjbwWjqgXFQ4QCt3rEfa6zS6aC1OFHvkK2ZHYH5y9fvjGvTUIp/zvStnGiaom
dzEU2CZjSXZfajytCCaTIb+CQidEvXGg20sV9DiT2N0wOrjKZuWOzmCDDjwflmZF
BWYA5DFetU40ExeIFNzP/t9VizsB9oNeWP4Vlqdnw/53d/gU6VMqQqNyn8brlbVq
mTDIGlFxreGIA9aZv0Z1zbF/Yun3oH0wnZfV/Tpgz0EIeWQpSJt7oTA+//+l7hMZ
x+7zFr/ZHAOLAT73Y88bP+E92o1kNttUynSTE2+xseJEX16TiqUgD4qy43qPEwu3
J2tXNylqCEGoTNAH2aXIfW0Mza438ECveaNCr67vZUOkyuKFCsabr/8W6ME5gGZt
X4DCOTXiRl6sVRdVqpuCwD0fGDC8L/DrFxAeRUnzFjQvepFlUan04CQJU+xVt8+Z
YYcAzw3TS5aVmA2GMBu8
=fr6f
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Dec 2013 07:29:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:17:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon