Debian Bug report logs -
#717176
ruby-passenger: CVE-2013-4136: insecure tmp files usage
Reported by: Henri Salo <henri@nerv.fi>
Date: Wed, 17 Jul 2013 14:09:01 UTC
Severity: important
Tags: fixed-upstream, security
Found in version ruby-passenger/3.0.13debian-1.1
Fixed in version ruby-passenger/3.0.13debian-1.2
Done: Felix Geyer <fgeyer@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#717176
; Package ruby-passenger
.
(Wed, 17 Jul 2013 14:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
New Bug report received and forwarded. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Wed, 17 Jul 2013 14:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: ruby-passenger
Version: 3.0.13debian-1.1
Severity: important
Tags: security, fixed-upstream
Please see for details: http://openwall.com/lists/oss-security/2013/07/15/2
---
Henri Salo
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#717176
; Package ruby-passenger
.
(Sat, 20 Jul 2013 17:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Felix Geyer <fgeyer@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Sat, 20 Jul 2013 17:36:04 GMT) (full text, mbox, link).
Message #10 received at 717176@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I've prepared a debdiff that cherry-picks another upstream
commit to properly fix CVE-2013-2119 and backports the two
commits necessary to fix CVE-2013-4136.
Cheers,
Felix
[ruby-passenger_3.0.13debian-1.2.debdiff (text/plain, attachment)]
Reply sent
to Felix Geyer <fgeyer@debian.org>
:
You have taken responsibility.
(Sun, 21 Jul 2013 10:21:15 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>
:
Bug acknowledged by developer.
(Sun, 21 Jul 2013 10:21:15 GMT) (full text, mbox, link).
Message #15 received at 717176-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-passenger
Source-Version: 3.0.13debian-1.2
We believe that the bug you reported is fixed in the latest version of
ruby-passenger, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 717176@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated ruby-passenger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 21 Jul 2013 10:41:42 +0200
Source: ruby-passenger
Binary: ruby-passenger libapache2-mod-passenger ruby-passenger-doc
Architecture: source amd64 all
Version: 3.0.13debian-1.2
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
libapache2-mod-passenger - Rails and Rack support for Apache2
ruby-passenger - Rails and Rack support for Apache2 and Nginx
ruby-passenger-doc - Rails and Rack support for Apache2 - Documentation
Closes: 717176
Changes:
ruby-passenger (3.0.13debian-1.2) unstable; urgency=high
.
* Non-maintainer upload.
.
[ Laurent Bigonville ]
* debian/control: Use canonical VCS URL
* debian/control: Move libapache2-mod-passenger to httpd section
.
[ Felix Geyer ]
* Cherry-pick another commit to properly fix CVE-2013-2119.
* Fix CVE-2013-4136: insecure tmp files usage. (Closes: #717176)
- Add CVE-2013-4136.patch, backported from upstream.
Checksums-Sha1:
d6a4d665c5ac2540d029347a57e9c9f3e569b900 2487 ruby-passenger_3.0.13debian-1.2.dsc
1ac484715991893dc7b588d6c467da79a7eca674 17042 ruby-passenger_3.0.13debian-1.2.debian.tar.gz
4aebae8a4e77be19439cb0b62f69156213345280 1512824 ruby-passenger_3.0.13debian-1.2_amd64.deb
ea262b3f5f8fd3bf89b36c88c66f894488ecdc9e 243740 libapache2-mod-passenger_3.0.13debian-1.2_amd64.deb
6f7b1eb6099b2906294b54561d0dc3ee5d153bb5 412292 ruby-passenger-doc_3.0.13debian-1.2_all.deb
Checksums-Sha256:
ec7e3f4cacb191b6b237a57b5ea9a4b720dc8dbe5ca74ee8c7c687101c31f8a2 2487 ruby-passenger_3.0.13debian-1.2.dsc
0f7085263c51766d979b650ec247ec37ea0dc2b6379509e892fc858031220b54 17042 ruby-passenger_3.0.13debian-1.2.debian.tar.gz
1e1124c3d22cd92eead04dc88264a11c7bcfb35de221ffd14b21a05402417d9c 1512824 ruby-passenger_3.0.13debian-1.2_amd64.deb
3ca0385f8f4f8a604411585bfa12a4c6a9841a1e7e86da4c7267d839c0833f0e 243740 libapache2-mod-passenger_3.0.13debian-1.2_amd64.deb
d79a8e1d1ffd27ee2c21a1f4b96a55277d45967b069bf9263e64de3435ed769f 412292 ruby-passenger-doc_3.0.13debian-1.2_all.deb
Files:
13ba5d011327ba70cfe368a73d71a6c1 2487 ruby optional ruby-passenger_3.0.13debian-1.2.dsc
268a77970e1e80c6d510c61cc3608cee 17042 ruby optional ruby-passenger_3.0.13debian-1.2.debian.tar.gz
a043cd2eaea795de9c1f8ce3de851bf7 1512824 ruby optional ruby-passenger_3.0.13debian-1.2_amd64.deb
b7d3dc8901179d3a4036afac4221f91a 243740 httpd optional libapache2-mod-passenger_3.0.13debian-1.2_amd64.deb
117dafe860633a38ba9a76f953dda63a 412292 doc optional ruby-passenger-doc_3.0.13debian-1.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJR665uAAoJEP4ixv2DE11FmUwP/1BSIejKkVLCmZfKXDYxfdUD
LoSQB1jv0q1wi4UnxXShBFgmoTf81og5jtHNEEv14Fsc9efc/7jx3/OHOM97JBgF
4YTl+ZFNDwfYnplNmL5Slf/ACgRLUfMGM+cNBqyYOEOkrh4UnIW3yN/SQsaWlCCA
rLy5eETq/wPbxjKrn6uimkvP7pi7MMosFZxv68P/8seKt6MtSzwuB8+QDV8z7x6+
7kckYU9X2WpkTG54TWbWwTVhHbcWpTx7wFOttevK1kGZ931r5kRLOiHKN60x4PUS
NkXe49KE5Ip14QT9amd0WV9ZRkfSE2s/x5Bu6JU9riVnbo5jNSGJgg/ELsK0Z8MQ
0ktkGshrIM/3T7cH7mgbFaRj+/+hDcezyDGuHskljVEDUo9qTyAblwGpsR5VwwMp
W4iTtUX1Hgg1xCAA14AN8+GXMqKG7br/GCCNlCLTnUUxOkV1+BFTjWbrRd6vyEh9
hEOZgpqxR5UDbgdt4lq11UHSpJTPx4u6X5NHquGKIVGJMBXIECqVLMEanvxS2jW8
rDB1M0fZvGaoBAhbLpwU9iC/ZvEw+2XHl+sHXAb3B5JHgzn7Ij3b8haAdTeWq9ns
hRo5FBGrfERKqjYTmRrTnCoBvqbpBDY4QoLRbnLrJKb7WYZyEdoH7T3q0lUSZ5t9
x+hv3oOj/DWafFP1gmmW
=fWse
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 19 Aug 2013 07:39:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:51:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.