Debian Bug report logs -
#668977
CVE-2012-1098: Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x [check if applies to RoR 2.3]
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#668607
; Package rails
.
(Fri, 13 Apr 2012 12:36:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Fri, 13 Apr 2012 12:36:25 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rails
Severity: grave
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#668607
; Package rails
.
(Fri, 13 Apr 2012 13:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to OndÅej Surý <ondrej@sury.org>
:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Fri, 13 Apr 2012 13:57:08 GMT) (full text, mbox, link).
Message #10 received at 668607@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Moritz,
thanks for reminder.
On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
<muehlenhoff@univention.de> wrote:
> Package: rails
> Severity: grave
> Tags: security
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
The vulnerable code isn't present in the rail-2.3 (which doesn't mean
that rails 2.3 is not vulnerable, just that we cannot fix that)
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
I have adapted upstream patch to rails-2.3, the code seems to be
reasonably similar to 3.x.
$ diffstat rails_2.3.5-1.2+squeeze3.debdiff
changelog | 8 +++++++
patches/CVE-2012-1099.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 1
3 files changed, 55 insertions(+)
debdiff, dsc and debian.tar.gz attached
Ondrej
--
Ondřej Surý <ondrej@sury.org>
[rails_2.3.5-1.2+squeeze3.debdiff (application/octet-stream, attachment)]
[rails_2.3.5-1.2+squeeze3.debian.tar.gz (application/x-gzip, attachment)]
[rails_2.3.5-1.2+squeeze3.dsc (application/octet-stream, attachment)]
Reply sent
to OndÅej Surý <ondrej@debian.org>
:
You have taken responsibility.
(Fri, 13 Apr 2012 14:54:44 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Fri, 13 Apr 2012 14:54:47 GMT) (full text, mbox, link).
Message #15 received at 668607-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-actionpack-2.3
Source-Version: 2.3.14-3
We believe that the bug you reported is fixed in the latest version of
ruby-actionpack-2.3, which is due to be installed in the Debian FTP archive:
ruby-actionpack-2.3_2.3.14-3.debian.tar.gz
to main/r/ruby-actionpack-2.3/ruby-actionpack-2.3_2.3.14-3.debian.tar.gz
ruby-actionpack-2.3_2.3.14-3.dsc
to main/r/ruby-actionpack-2.3/ruby-actionpack-2.3_2.3.14-3.dsc
ruby-actionpack-2.3_2.3.14-3_all.deb
to main/r/ruby-actionpack-2.3/ruby-actionpack-2.3_2.3.14-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 668607@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
OndÅej Surý <ondrej@debian.org> (supplier of updated ruby-actionpack-2.3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 13 Apr 2012 15:39:31 +0200
Source: ruby-actionpack-2.3
Binary: ruby-actionpack-2.3
Architecture: source all
Version: 2.3.14-3
Distribution: unstable
Urgency: low
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: OndÅej Surý <ondrej@debian.org>
Description:
ruby-actionpack-2.3 - Controller and View framework used by Rails
Closes: 668607
Changes:
ruby-actionpack-2.3 (2.3.14-3) unstable; urgency=low
.
* Fix vulnerability for users that generate their own options tags for
use with the select helper in Ruby On Rails [CVE-2012-1099]
(Closes: #668607)
Checksums-Sha1:
60fba8512b3cb5c6fc890aee5504825fc8aa6224 1674 ruby-actionpack-2.3_2.3.14-3.dsc
02ef53c4369a84e7d8f0fded2921208623b4c00a 10618 ruby-actionpack-2.3_2.3.14-3.debian.tar.gz
ffa2be2ed35e4c1339c3d6e79bf4a33ce21ee4cb 367178 ruby-actionpack-2.3_2.3.14-3_all.deb
Checksums-Sha256:
d78549402dfc8398d53a972c8217a327d12b840baff9d5d579a824f51164f5f7 1674 ruby-actionpack-2.3_2.3.14-3.dsc
5cc5a4371905fa9faa448e2f158dde2a28dfb81351180d737d1fe732ed9e05ee 10618 ruby-actionpack-2.3_2.3.14-3.debian.tar.gz
c1c5dd1f13d8082ac3d69db62780aeb80b33cb2456cd29cde684e5d70bca18ae 367178 ruby-actionpack-2.3_2.3.14-3_all.deb
Files:
ff7fb7c89e3ac8d4e253c36103ed6196 1674 ruby optional ruby-actionpack-2.3_2.3.14-3.dsc
4bddf2c94ac9475eee1a838cabce6921 10618 ruby optional ruby-actionpack-2.3_2.3.14-3.debian.tar.gz
ee604a885d8341301c384040f3f4d65f 367178 ruby optional ruby-actionpack-2.3_2.3.14-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk+ILxAACgkQ9OZqfMIN8nMpAACdEsxoaSTnocYX/kk3WwP/3qfC
8jUAnjqvV2ebYmrWFx/kbOTU1WBd3r+r
=wMC9
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#668607
; Package rails
.
(Fri, 13 Apr 2012 16:27:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Fri, 13 Apr 2012 16:27:08 GMT) (full text, mbox, link).
Message #20 received at 668607@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Ondřej Surý <ondrej@sury.org> [2012-04-13 15:56]:
> On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
> <muehlenhoff@univention.de> wrote:
> > Package: rails
> > Severity: grave
> > Tags: security
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
>
> The vulnerable code isn't present in the rail-2.3 (which doesn't mean
> that rails 2.3 is not vulnerable, just that we cannot fix that)
>
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
>
> I have adapted upstream patch to rails-2.3, the code seems to be
> reasonably similar to 3.x.
>
> $ diffstat rails_2.3.5-1.2+squeeze3.debdiff
> changelog | 8 +++++++
> patches/CVE-2012-1099.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++
> patches/series | 1
> 3 files changed, 55 insertions(+)
>
> debdiff, dsc and debian.tar.gz attached
Looks good. Please go ahead and upload this to security-master.
Thank you!
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#668607
; Package rails
.
(Sun, 15 Apr 2012 08:57:08 GMT) (full text, mbox, link).
Acknowledgement sent
to OndÅej Surý <ondrej@sury.org>
:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Sun, 15 Apr 2012 08:57:08 GMT) (full text, mbox, link).
Message #25 received at 668607@bugs.debian.org (full text, mbox, reply):
On Fri, Apr 13, 2012 at 18:25, Nico Golde <nion@debian.org> wrote:
> Hi,
> * Ondřej Surý <ondrej@sury.org> [2012-04-13 15:56]:
>> On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
>> <muehlenhoff@univention.de> wrote:
>> > Package: rails
>> > Severity: grave
>> > Tags: security
>> >
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
>> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
>>
>> The vulnerable code isn't present in the rail-2.3 (which doesn't mean
>> that rails 2.3 is not vulnerable, just that we cannot fix that)
>>
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
>> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
>>
>> I have adapted upstream patch to rails-2.3, the code seems to be
>> reasonably similar to 3.x.
>>
>> $ diffstat rails_2.3.5-1.2+squeeze3.debdiff
>> changelog | 8 +++++++
>> patches/CVE-2012-1099.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++
>> patches/series | 1
>> 3 files changed, 55 insertions(+)
>>
>> debdiff, dsc and debian.tar.gz attached
>
> Looks good. Please go ahead and upload this to security-master.
Thanks, uploaded.
For unstable it has been fixed in:
ruby-actionpack-2.3 (2.3.14-3) unstable; urgency=low
* Fix vulnerability for users that generate their own options tags for
use with the select helper in Ruby On Rails [CVE-2012-1099]
(Closes: #668607)
-- Ondřej Surý <ondrej@debian.org> Fri, 13 Apr 2012 15:39:31 +0200
O.
--
Ondřej Surý <ondrej@sury.org>
Bug 668607 cloned as bug 668977
Request was from OndÅej Surý <ondrej@debian.org>
to control@bugs.debian.org
.
(Mon, 16 Apr 2012 08:39:03 GMT) (full text, mbox, link).
Changed Bug title to 'CVE-2012-1098: Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x [check if applies to RoR 2.3]' from 'CVE-2012-1098 / CVE-2012-1099'
Request was from OndÅej Surý <ondrej@debian.org>
to control@bugs.debian.org
.
(Mon, 16 Apr 2012 08:39:04 GMT) (full text, mbox, link).
Severity set to 'important' from 'grave'
Request was from OndÅej Surý <ondrej@debian.org>
to control@bugs.debian.org
.
(Mon, 16 Apr 2012 08:39:06 GMT) (full text, mbox, link).
Bug reopened
Request was from OndÅej Surý <ondrej@debian.org>
to control@bugs.debian.org
.
(Mon, 16 Apr 2012 08:45:11 GMT) (full text, mbox, link).
No longer marked as fixed in versions ruby-actionpack-2.3/2.3.14-3.
Request was from OndÅej Surý <ondrej@debian.org>
to control@bugs.debian.org
.
(Mon, 16 Apr 2012 08:45:12 GMT) (full text, mbox, link).
Reply sent
to Christian Hofstaedtler <zeha@debian.org>
:
You have taken responsibility.
(Wed, 08 Apr 2015 10:15:23 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Wed, 08 Apr 2015 10:15:23 GMT) (full text, mbox, link).
Message #40 received at 668977-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
AFAICT, the version in wheezy has been fixed, and jessie and sid
contain much newer versions (4.x) that should have inherited the fix
upstream a long time ago.
Closing.
--
,''`. Christian Hofstaedtler <zeha@debian.org>
: :' : Debian Developer
`. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03
`-
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 07 May 2015 07:29:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:48:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.