Debian Bug report logs -
#901913
CVE-2018-3760
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 20 Jun 2018 07:12:02 UTC
Severity: grave
Tags: patch, security
Found in version ruby-sprockets/3.7.0-1
Fixed in versions ruby-sprockets/3.7.0-1.1, ruby-sprockets/3.7.0-1+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#901913; Package ruby-sprockets.
(Wed, 20 Jun 2018 07:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Wed, 20 Jun 2018 07:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ruby-sprockets
Severity: grave
Tags: security
Hi,
please see http://www.openwall.com/lists/oss-security/2018/06/19/2
Cheers,
Moritz
Marked as found in versions ruby-sprockets/3.7.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 20 Jun 2018 07:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#901913; Package ruby-sprockets.
(Sat, 07 Jul 2018 06:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sat, 07 Jul 2018 06:45:02 GMT) (full text, mbox, link).
Message #12 received at 901913@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 901913 + patch
Control: tags 901913 + pending
Dear maintainer,
I've prepared an NMU for ruby-sprockets (versioned as 3.7.0-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[ruby-sprockets-3.7.0-1.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 901913-submit@bugs.debian.org.
(Sat, 07 Jul 2018 06:45:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 901913-submit@bugs.debian.org.
(Sat, 07 Jul 2018 06:45:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 09 Jul 2018 07:51:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 09 Jul 2018 07:51:09 GMT) (full text, mbox, link).
Message #21 received at 901913-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-sprockets
Source-Version: 3.7.0-1.1
We believe that the bug you reported is fixed in the latest version of
ruby-sprockets, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901913@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ruby-sprockets package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 05 Jul 2018 23:29:49 +0200
Source: ruby-sprockets
Binary: ruby-sprockets
Architecture: source
Version: 3.7.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
ruby-sprockets - Rack-based asset packaging system
Closes: 901913
Changes:
ruby-sprockets (3.7.0-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Do not respond to http requests asking for a `file://` (CVE-2018-3760)
(Closes: #901913)
Checksums-Sha1:
5ae72bd5567e3101f16b682bf3fcaaa4a262e0f7 2324 ruby-sprockets_3.7.0-1.1.dsc
b6c7e5cb533fbbe269655dee4ab5b94311d31249 4352 ruby-sprockets_3.7.0-1.1.debian.tar.xz
e899642ec412e89f427d9056256d9dacd06fbe1a 6191 ruby-sprockets_3.7.0-1.1_source.buildinfo
Checksums-Sha256:
7d63d7a85b0f59ed681297c7001329fc99c74618dec8c707c4f232826900858c 2324 ruby-sprockets_3.7.0-1.1.dsc
7c35b46d19c5e4dde13a586e4709157cc8cf82c999d1efb8149cc4683c39da1c 4352 ruby-sprockets_3.7.0-1.1.debian.tar.xz
d618e53aa45cbf4a54308d995b342b93df3073d60a1a2648e73723df9100b28f 6191 ruby-sprockets_3.7.0-1.1_source.buildinfo
Files:
2fd2c98932bd20b336f5af810af50ca6 2324 ruby optional ruby-sprockets_3.7.0-1.1.dsc
b6f03e4aa50b14bd5c75ab028520ee38 4352 ruby optional ruby-sprockets_3.7.0-1.1.debian.tar.xz
130b03151d7a9eed8428db9e7d2df1d1 6191 ruby optional ruby-sprockets_3.7.0-1.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltAYHxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E2rEP/0L029m7YwOfgTlbR6uGeg/NC6xtQtKD
5keD6k7C/oJNJklmegu8XbnNMiSyINQQTL/Zakx6zUQOuYRPuNZ+61yFZSgqzT0C
qzVqN7/qfUiqFgNJR1K0xdWz5EeZKDdyjXvd5r9e5VYIsfS/2ek9mPq6pihaymN8
o1KCqNeiGThaSeOkLEOikEKI3mNyvs6rbCAHuue27I+BEiLTwyYQS8GYARkUgR4m
+doOQ5ib16tkpr+FCD7o9P+G2C3o8IKESlmnqnCZShTiqJwgpUIOKD4Ucp7qtbjo
zrHAZmTwgokqdqjjcJt0fXSmZZyXJpQlyxF9EUl/lNAbCpcsXCoAgmVK4bcrC50W
hFlh6qas2v8DSKUHZTEnB2Mwkv7kemnypkYR2fAsZr4sLJRUjiMl+85JWXdNEeeR
1Po8zwD++g1eJLj4slxqtbqwspt6MDlVItGSZFmn/9BDPQ/HpOoyVoQBkxepxKIY
/YnbZpUzv4WPj1/BsheWcSfRCgkKiAs7PAYRqwdk1yc6QD6gCudpljSKAIlcfu2C
WrpAdX79HPGNb84vHRTiBacbazFHGeymP02kZ5rFG+mrQyyQifs0fXDunbJyIeI+
Hv0fO3nimy4likx2pTivAt5azfVwzvRE+krv0qEjEUb39NZqnsgXNLO5fR/syTe9
AhZz5FYejshH
=uRHF
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 14 Jul 2018 13:06:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 14 Jul 2018 13:06:08 GMT) (full text, mbox, link).
Message #26 received at 901913-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-sprockets
Source-Version: 3.7.0-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
ruby-sprockets, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901913@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ruby-sprockets package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 05 Jul 2018 23:29:49 +0200
Source: ruby-sprockets
Binary: ruby-sprockets
Architecture: source
Version: 3.7.0-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 901913
Description:
ruby-sprockets - Rack-based asset packaging system
Changes:
ruby-sprockets (3.7.0-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Do not respond to http requests asking for a `file://` (CVE-2018-3760)
(Closes: #901913)
Checksums-Sha1:
cb8d8d5abd67cad9d0601e982a5f9864205fa192 2344 ruby-sprockets_3.7.0-1+deb9u1.dsc
9ad7b23911ddb9860376036afd39cbdd921e74fe 70453 ruby-sprockets_3.7.0.orig.tar.gz
d9cdb0b35f5aa8d7c8997b0d6327cc5eab95ffad 4376 ruby-sprockets_3.7.0-1+deb9u1.debian.tar.xz
fcedef4b5a3f62c498ebde3afb91292ce410c88e 5752 ruby-sprockets_3.7.0-1+deb9u1_source.buildinfo
Checksums-Sha256:
d14463e1e23261fb10613e96928b2a76b55eeac6c9fdea40c4c2696c5098f3b2 2344 ruby-sprockets_3.7.0-1+deb9u1.dsc
6add73c1003196ecdd762e54230f63ca78fab26919ae7ed1170e9cb84bb506ed 70453 ruby-sprockets_3.7.0.orig.tar.gz
50d280eab840bd837b1c7fe6af312b63e5978d9f48fb97633edf7fb5af8f9488 4376 ruby-sprockets_3.7.0-1+deb9u1.debian.tar.xz
61f35971e26f3c3886781d571d5833defdc96a34b45ce7b2f894500ab4d82984 5752 ruby-sprockets_3.7.0-1+deb9u1_source.buildinfo
Files:
79bab0e80ae75ff456a26b81d016ace9 2344 ruby optional ruby-sprockets_3.7.0-1+deb9u1.dsc
461c7ff4b50b6136c914056fa459af39 70453 ruby optional ruby-sprockets_3.7.0.orig.tar.gz
e1846ed8d432132c9e42e4a46b81bf81 4376 ruby optional ruby-sprockets_3.7.0-1+deb9u1.debian.tar.xz
5edcea919cee8a99dc3eb53c5a94833e 5752 ruby optional ruby-sprockets_3.7.0-1+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltB0lNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EfOAP/16M2jXPkDwlXxGh86+z7NRQ8SqZItqW
XsK6SpOnxLPRgYPn1ZDGNfub+ryOpJLvUBMtiYREN7IMidTOWOXoL78YtKGz73K4
gLmEkmfQ+vY0tl4PmFuWr0O+MIueizhP2P77AKGWdpZEvwwLx7y3DVEmD3qWbwcj
YWwFwVYwqOTc/i+2k2vwW7y3MgMnHt5quLHgv3KGdnHj8K/KEkltH2j8whmTSV0N
pYASQCzv+db/fx8Q1U1yaqxzU/7uGfH8juE6kD5pFOwA0wB6gBsvKd7y5nt5HbrJ
B8O+U8N0cSWfkqRAfPYNYH7VEylKD9yZPSBTIoJb492nuBbh+dOqDes4SGefiaPM
bCtViVvPu5jK8p96FNxWT6xyX2x4X66khoc1F2Qj+qv9SizzsN7aO0XwGxgO0UEy
WppdHt4dGEpFbynMuzm6BTz9ZT1hIB2yjrlVeI69hhijFsen5Q48v7ugN8wD7UCX
D/jX/Kevwta3HsPTG9su9lmyDAvb+PrKfAMrTxPUgLtnrRXTRlcFKm5O5TkzeTL+
Z8ySD4Qde6QsqkqCNyAlu9F147nO37VDbxMT/MVnXKIj6GUBFPTJPzU0aPRnu0WF
b46yYHRvADmmFscJvgLjPwxMR9K3Vrxj4oMZkJRGdWvan/uAm7Dux+X5Y+nXfRmT
NwFkWdquq1Ea
=JCC+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Nov 2018 07:26:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:47:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon