Security fixes (incl. CVE-2009-3009)

Debian Bug report logs - #545063
Security fixes (incl. CVE-2009-3009)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jan Lühr <yanosz@gmx.net>

To: submit@bugs.debian.org

Subject: Security fixes (incl. CVE-2009-3009)

Date: Fri, 4 Sep 2009 20:08:23 +0200

[Message part 1 (text/plain, inline)]

Package: rails
Version: 2.1, 2.2
Tags: security
Severity: grave

Rails in stable and testing are probably affected by:
http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails

Fixes have been released today.

Keep smiling
yanosz

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 545063@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Debian Bug Tracking System <545063@bugs.debian.org>

Subject: CVE-2009-3086 CVE-2009-3009

Date: Thu, 10 Sep 2009 10:30:38 +0200

Package: rails

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for rails.

CVE-2009-3086[0]:
| A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x
| before 2.3.4, leaks information about the complexity of message-digest
| signature verification in the cookie store, which might allow remote
| attackers to forge a digest via multiple attempts.

CVE-2009-3009[1]:
| Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before
| 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject
| arbitrary web script or HTML by placing malformed Unicode strings into
| a form helper.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086
    http://security-tracker.debian.net/tracker/CVE-2009-3086
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009
    http://security-tracker.debian.net/tracker/CVE-2009-3009


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqouSsACgkQNxpp46476ao1ZQCaAil8vKbQ/JQGNc+DBApQl3eW
89wAnjuPfrGmejg7FLzABM88h/n4rdpa
=OeAa
-----END PGP SIGNATURE-----

Message #15 received at 545063-close@bugs.debian.org (full text, mbox, reply):

From: Adam Majer <adamm@zombino.com>

To: 545063-close@bugs.debian.org

Subject: Bug#545063: fixed in rails 2.2.3-1

Date: Fri, 11 Sep 2009 22:38:20 +0000

Source: rails
Source-Version: 2.2.3-1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive:

rails_2.2.3-1.diff.gz
  to pool/main/r/rails/rails_2.2.3-1.diff.gz
rails_2.2.3-1.dsc
  to pool/main/r/rails/rails_2.2.3-1.dsc
rails_2.2.3-1_all.deb
  to pool/main/r/rails/rails_2.2.3-1_all.deb
rails_2.2.3.orig.tar.gz
  to pool/main/r/rails/rails_2.2.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 545063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Majer <adamm@zombino.com> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 11 Sep 2009 13:53:42 -0500
Source: rails
Binary: rails
Architecture: source all
Version: 2.2.3-1
Distribution: unstable
Urgency: high
Maintainer: Adam Majer <adamm@zombino.com>
Changed-By: Adam Majer <adamm@zombino.com>
Description: 
 rails      - MVC ruby based framework geared for web application development
Closes: 538982 545063
Changes: 
 rails (2.2.3-1) unstable; urgency=high
 .
   * New upstream release (closes: #545063)
     + Fixes XSS security hole [CVE-2009-3009]
     + Fixes timing issue with cookie store [CVE-2009-3086]
   * Remove dependency on ruby-dbi, as it is not required by any of the
     sources.
   * Correct dependency on fixed libxml-simple-ruby to 1.0.11-2 or later
     (closes: #538982)
   * debian/control
     + Change section from web to ruby
     + Updated to debhelper 7.0+
     + Standards updated to 3.8.3 - no changes
Checksums-Sha1: 
 c103547f2fb632f4aa9e2807121ba0bd7c36b22a 1252 rails_2.2.3-1.dsc
 4e092e34beeebe376b204f75dc6d5364364c0314 3042735 rails_2.2.3.orig.tar.gz
 90125f29d38e20fe649769f73de732b211ab3fbb 13592 rails_2.2.3-1.diff.gz
 0eee5721fb52aac2bc0c65e2f050abafe7998a50 3437430 rails_2.2.3-1_all.deb
Checksums-Sha256: 
 9eb7c66982db8288c87e118687c486dbc56e7557cf1b61b06c71761d11f0a4fd 1252 rails_2.2.3-1.dsc
 c79b0690d8079bea4fab3c7f01c73b5cc1bf6678d967c740ed0aac61789e8ba7 3042735 rails_2.2.3.orig.tar.gz
 5948a2f87d3ef6cb235a3d05144eebeaa076d0258b9c7ea47d79a8977d9df161 13592 rails_2.2.3-1.diff.gz
 b0e3093dff6014b049e400aa6e61daf5c551012dcba476553f715e2586b6bffa 3437430 rails_2.2.3-1_all.deb
Files: 
 c7d28306e5a8626342d3b0a829bd0366 1252 ruby optional rails_2.2.3-1.dsc
 56640ae2ce3e5a8fd4eafd7617b6cb74 3042735 ruby optional rails_2.2.3.orig.tar.gz
 927f5aa729f0c56d4f33a29ac88e0555 13592 ruby optional rails_2.2.3-1.diff.gz
 7934c6fa9c8f39fd9a58e5e5b6259510 3437430 ruby optional rails_2.2.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqqt98ACgkQ73/bNdaAYUWPdQCffEOYh47f1HxRdySp1cXJjO9n
NysAn070ju1bHpbnbc1H/WOUtZisUZaF
=blp3
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.