Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ruby-actionmailer-3.2: Possible DoS Vulnerability in Action Mailer (CVE-2013-4389)

Related Vulnerabilities: CVE-2013-4389  

Source

Debian Bug report logs - #726576
ruby-actionmailer-3.2: Possible DoS Vulnerability in Action Mailer (CVE-2013-4389)

version graph

Package: ruby-actionmailer-3.2; Maintainer for ruby-actionmailer-3.2 is (unknown);

Reported by: Yves-Alexis Perez <corsac@debian.org>

Date: Wed, 16 Oct 2013 20:00:02 UTC

Severity: grave

Tags: security

Fixed in versions 3.2.16-1, ruby-actionmailer-3.2/3.2.6-2+deb7u1

Done: Ondřej Surý <ondrej@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#726576; Package ruby-actionmailer-3.2. (Wed, 16 Oct 2013 20:00:06 GMT) (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 16 Oct 2013 20:00:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby-actionmailer-3.2: Possible DoS Vulnerability in Action Mailer (CVE-2013-4389)
Date: Wed, 16 Oct 2013 21:57:59 +0200
Package: ruby-actionmailer-3.2
Severity: grave
Tags: security
Justification: user security hole

Hi,

a vulnerability was reported against actionmailer, see
http://marc.info/?l=oss-security&m=138194461411192&w=2 for more info.

It's unclear from that mail if it's really only a DoS, since “format
string” might be worse than that, so it's not clear if it'll need a DSA
or not.

Regards,
-- 
Yves-Alexis Perez
Debian Security

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Reply sent to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility. (Thu, 05 Dec 2013 12:12:16 GMT) (full text, mbox, link).

Notification sent to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer. (Thu, 05 Dec 2013 12:12:16 GMT) (full text, mbox, link).

Message #10 received at 726576-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: 726576-done@bugs.debian.org
Subject: Re: Bug#726576: ruby-actionmailer-3.2: Possible DoS Vulnerability in Action Mailer (CVE-2013-4389)
Date: Thu, 05 Dec 2013 13:08:24 +0100
Version: 3.2.16-1

Fixed in recent upload to unstable. stable fixes are in the security
team queue and should be released soon.

Ondrej
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Tue, 01 Apr 2014 21:21:11 GMT) (full text, mbox, link).

Notification sent to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer. (Tue, 01 Apr 2014 21:21:11 GMT) (full text, mbox, link).

Message #15 received at 726576-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>
To: 726576-close@bugs.debian.org
Subject: Bug#726576: fixed in ruby-actionmailer-3.2 3.2.6-2+deb7u1
Date: Tue, 01 Apr 2014 21:17:30 +0000
Source: ruby-actionmailer-3.2
Source-Version: 3.2.6-2+deb7u1

We believe that the bug you reported is fixed in the latest version of
ruby-actionmailer-3.2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 726576@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated ruby-actionmailer-3.2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 05 Dec 2013 11:58:24 +0100
Source: ruby-actionmailer-3.2
Binary: ruby-actionmailer-3.2
Architecture: source all
Version: 3.2.6-2+deb7u1
Distribution: wheezy-security
Urgency: low
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 ruby-actionmailer-3.2 - email composition, delivery, and receiving framework (part of Rai
Closes: 726576
Changes: 
 ruby-actionmailer-3.2 (3.2.6-2+deb7u1) wheezy-security; urgency=low
 .
   * [CVE-2013-4389] Fix Possible DoS Vulnerability in Action Mailer (Closes:  #726576)
Checksums-Sha1: 
 6bc33971899921611d7b292380c15a83f684d443 24512 ruby-actionmailer-3.2_3.2.6.orig.tar.gz
 a290ecbc4f5a1d59f3e4b4bc3b7082f5624635c6 1654 ruby-actionmailer-3.2_3.2.6-2+deb7u1.dsc
 58f23a50cf2c400434cd9b7dc29c5a7bd59cc6e6 3315 ruby-actionmailer-3.2_3.2.6-2+deb7u1.debian.tar.gz
 49d603cece9a6d64f7ad7fdd265f88861444786a 29560 ruby-actionmailer-3.2_3.2.6-2+deb7u1_all.deb
Checksums-Sha256: 
 a75df648bb82be153a53c1eaf12fe7a1c4672c2f4f24a800bdc47e1c2802bf04 24512 ruby-actionmailer-3.2_3.2.6.orig.tar.gz
 ee61d18e07c818195651c50a066a51404c45aea3f11f24a85d2beac2ca39473a 1654 ruby-actionmailer-3.2_3.2.6-2+deb7u1.dsc
 393aaeac1dc0b82fcde3fe4271b3251f34c3226f885922f0d0f4bbceaefe82ca 3315 ruby-actionmailer-3.2_3.2.6-2+deb7u1.debian.tar.gz
 2fb9834fe612e02fe280cfccb1974659d527b34cfa017d1e2c2e909bba73e24b 29560 ruby-actionmailer-3.2_3.2.6-2+deb7u1_all.deb
Files: 
 18ed73453ad28f09c83138f9fbc2face 24512 ruby optional ruby-actionmailer-3.2_3.2.6.orig.tar.gz
 959bbc9109b1848a4e74d62b5693c473 1654 ruby optional ruby-actionmailer-3.2_3.2.6-2+deb7u1.dsc
 7788fb660685c98119ffe1287208bc1e 3315 ruby optional ruby-actionmailer-3.2_3.2.6-2+deb7u1.debian.tar.gz
 3283b007270432ff7b2a4851a630fe8b 29560 ruby optional ruby-actionmailer-3.2_3.2.6-2+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlL7e68ACgkQ9OZqfMIN8nNTMwCgrRa7epEgUNd98ug7GDavOPV5
qGcAn0vpWh/yhintz6Y3e8tgUxeOcAaP
=4pXc
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 02 May 2014 07:30:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:12:59 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started