Debian Bug report logs -
#710351
ruby-passenger: CVE-2013-2119
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 30 May 2013 07:15:01 UTC
Severity: grave
Tags: security
Fixed in versions ruby-passenger/3.0.13debian-1.1, ruby-passenger/3.0.13debian-1+deb7u1
Done: Felix Geyer <fgeyer@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#710351; Package ruby-passenger.
(Thu, 30 May 2013 07:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Thu, 30 May 2013 07:15:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ruby-passenger
Severity: grave
Tags: security
Justification: user security hole
Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2119
for details and fixes.
This doesn't warrant a a DSA, but can be fixed through a point update.
Cheers,
Moritz
Reply sent
to Felix Geyer <fgeyer@debian.org>:
You have taken responsibility.
(Thu, 30 May 2013 18:27:12 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 30 May 2013 18:27:12 GMT) (full text, mbox, link).
Message #10 received at 710351-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-passenger
Source-Version: 3.0.13debian-1.1
We believe that the bug you reported is fixed in the latest version of
ruby-passenger, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 710351@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated ruby-passenger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 30 May 2013 09:27:46 +0200
Source: ruby-passenger
Binary: ruby-passenger libapache2-mod-passenger ruby-passenger-doc
Architecture: source amd64 all
Version: 3.0.13debian-1.1
Distribution: unstable
Urgency: low
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
libapache2-mod-passenger - Rails and Rack support for Apache2
ruby-passenger - Rails and Rack support for Apache2 and Nginx
ruby-passenger-doc - Rails and Rack support for Apache2 - Documentation
Closes: 707063 710351
Changes:
ruby-passenger (3.0.13debian-1.1) unstable; urgency=low
.
* Non-maintainer upload.
* Transition towards Apache 2.4. (Closes: #707063)
- Build-depend on apache2-dev and apache2.
- Use apache2 dh helper.
- Drop libapache2-mod-passenger maintainer scripts, now handled by
dh_apache2.
* Fix buiding against glibc 2.17.
- Add fix_ftbfs_glibc217.patch, cherry-picked from upstream.
* Fix CVE-2013-2119: insecure temporary file usage. (Closes: #710351)
- Add CVE-2013-2119.patch, cherry-picked from upstream.
Checksums-Sha1:
0b600b4950ccf110744faeb37455f021148eefae 2489 ruby-passenger_3.0.13debian-1.1.dsc
a7d2a8dcb2f815a3429cee9161a20802afe6c70a 14140 ruby-passenger_3.0.13debian-1.1.debian.tar.gz
b032e21dbbd89590c3a7257fa6bb6d2edaaf4d1b 1514128 ruby-passenger_3.0.13debian-1.1_amd64.deb
bd265f8b05215f17f6d2f778b7389cd4d7c2006d 244168 libapache2-mod-passenger_3.0.13debian-1.1_amd64.deb
46ad093d1e1936a66a2032cf3c5819ec5d6ee5da 412156 ruby-passenger-doc_3.0.13debian-1.1_all.deb
Checksums-Sha256:
527e2036cb1cf8e07d24cf72481cf8934023f9f524b24c1dde663733518858dc 2489 ruby-passenger_3.0.13debian-1.1.dsc
75563b5ca8e51ed3b41e648f88c065b2df8b0d2afbc76462d65bb86fefb0189d 14140 ruby-passenger_3.0.13debian-1.1.debian.tar.gz
47522831755d97dc9b2c6a221169dea60831253617d82e99150436414d93a1f3 1514128 ruby-passenger_3.0.13debian-1.1_amd64.deb
fa50f529e6fa6b1bd5ebe16bf32fc2f27a9c2e8b88e661b108f6a565a991c492 244168 libapache2-mod-passenger_3.0.13debian-1.1_amd64.deb
f0e42f37bd0d566c89838f6f41bf02a4d7ba7b275c048de1cc53c546a61813bc 412156 ruby-passenger-doc_3.0.13debian-1.1_all.deb
Files:
40a6cb41e3d0e0b7ae143d4719dd8359 2489 ruby optional ruby-passenger_3.0.13debian-1.1.dsc
94a45a1ba08af66fb0091493365cd4f2 14140 ruby optional ruby-passenger_3.0.13debian-1.1.debian.tar.gz
e58b167ba0f9ade74d757bd6ebf60d06 1514128 ruby optional ruby-passenger_3.0.13debian-1.1_amd64.deb
205f0163509e4bb56cb5b18711b2db19 244168 web optional libapache2-mod-passenger_3.0.13debian-1.1_amd64.deb
a7a0a317fc48de09152146fa163105c6 412156 doc optional ruby-passenger-doc_3.0.13debian-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJRp4xaAAoJEP4ixv2DE11FU9IP/0mcWbGtb5j9pn/9L93Hfm7z
O+Wv120Qrwmw7a5xPyEIeRjz/TOV1Cue1REKHAYFmfamSCLtI1RBbcyzpZnaeCL2
QzG6/yCdkC0wS8bZTqz24SklfVI39qQfM627zLXYuYy+cL08nGB0gcm2vymIVzl8
wJ/ekDwcQBbqk1Ci4TAP01/H0owzooXxjT77kQRjdOdXonC3TgA1uZYGSD5iO+Nx
K5YpcrctnLPNVu2aS7K5yCVDCewVzPc4JMZKJp0OfYvh4DjsjTCnMjaFPYPoW19R
O2Txt5/cb0aXhl2GC/WfUb2MDy0gnrrgZ+I6lnGCFv86UjGYt7r5UdDj0PwGEXsc
hx7NFX5grC9ulsSsKhVlJ8w+7XEtio4opN9hSkJds0PSrzTwEM9WMCtGUqdZeg5U
BCI/OISjNn7asD3xRuQ+v2zzi5d8hO55BI17qjppRXxjHjwuNFDYJC5ARVJ6/bes
7qlOE7jE9Iv0oXGMNWN122dC30vQ/p6pY0xrY/e9MR8LGLuT8wMkmm/SesxLufqn
8DQ+5OoiiMrJfCLRrT23V+wLi1ppUegf5wSi0T6DLqgr7JMnvabOAb8VsQWoVVsV
w/JkEzUKARxttiyxz9f78Q6NDrRbSXfgdNKZ2pS4W4PnSJ4BmLApWR66tJvRVyC3
JiiC77drqjqAG/dwVlTO
=QJfK
-----END PGP SIGNATURE-----
Reply sent
to Felix Geyer <fgeyer@debian.org>:
You have taken responsibility.
(Tue, 29 Oct 2013 21:21:12 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Tue, 29 Oct 2013 21:21:12 GMT) (full text, mbox, link).
Message #15 received at 710351-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-passenger
Source-Version: 3.0.13debian-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
ruby-passenger, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 710351@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated ruby-passenger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 14 Oct 2013 22:43:07 +0200
Source: ruby-passenger
Binary: ruby-passenger libapache2-mod-passenger ruby-passenger-doc
Architecture: source amd64 all
Version: 3.0.13debian-1+deb7u1
Distribution: wheezy
Urgency: low
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
libapache2-mod-passenger - Rails and Rack support for Apache2
ruby-passenger - Rails and Rack support for Apache2 and Nginx
ruby-passenger-doc - Rails and Rack support for Apache2 - Documentation
Closes: 710351 717176
Changes:
ruby-passenger (3.0.13debian-1+deb7u1) wheezy; urgency=low
.
* Fix CVE-2013-2119 and CVE-2013-4136: insecure tmp files usage.
(Closes: #710351, #717176)
- Backport upstream commits in CVE-2013-2119.patch and CVE-2013-4136.patch
Checksums-Sha1:
1a7c7f476389b482c0e5706d8a20aa677c18239e 2525 ruby-passenger_3.0.13debian-1+deb7u1.dsc
080396c8988a10eca97337558c116c33e7c604c0 15678 ruby-passenger_3.0.13debian-1+deb7u1.debian.tar.gz
74146f8a923b3fe1776d34ba390892a2fdd22945 1578642 ruby-passenger_3.0.13debian-1+deb7u1_amd64.deb
65e7bd4a3eda498c77251d56b02b6c1d9a9ad295 245978 libapache2-mod-passenger_3.0.13debian-1+deb7u1_amd64.deb
3f1fcc35cd1930e07a6e4c8a57b837f8b4539801 412068 ruby-passenger-doc_3.0.13debian-1+deb7u1_all.deb
Checksums-Sha256:
3d1697043c75a085a9132079daee84caf1e492b70adb8ff7598e1e875fd8bf19 2525 ruby-passenger_3.0.13debian-1+deb7u1.dsc
6fa0d06d3531751d5fd54a37b8bb19213eba6c5d8a3d336470461023d725296c 15678 ruby-passenger_3.0.13debian-1+deb7u1.debian.tar.gz
96a7bc1b41c6a80adac6b5cc7a95b173765194eb3ae45d4739bcc5e14673a12c 1578642 ruby-passenger_3.0.13debian-1+deb7u1_amd64.deb
c9e452db7cde30ff0388577bc76fb75483c8ea8c0662976c787a010339de9e15 245978 libapache2-mod-passenger_3.0.13debian-1+deb7u1_amd64.deb
79fed93bf43fc49935533109d62b663bd22950a8e746f082b66a01bce219aa15 412068 ruby-passenger-doc_3.0.13debian-1+deb7u1_all.deb
Files:
1a6ae77dfe375f4d0342bc7e74836ca4 2525 ruby optional ruby-passenger_3.0.13debian-1+deb7u1.dsc
3815533e46f6f2cecc2f2000bb69c3ca 15678 ruby optional ruby-passenger_3.0.13debian-1+deb7u1.debian.tar.gz
fb1d8b05f681cfe95ee4bc1e83680120 1578642 ruby optional ruby-passenger_3.0.13debian-1+deb7u1_amd64.deb
76b779400854b3ee2b1aa9f2bf17081a 245978 web optional libapache2-mod-passenger_3.0.13debian-1+deb7u1_amd64.deb
5485408b5bf3861a9c5a8a0f030804cf 412068 doc optional ruby-passenger-doc_3.0.13debian-1+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBCAAGBQJSa86EAAoJEP4ixv2DE11FeDoP/jmr5ThxjTyTEPkA9gWrTazG
g8m1pTmN+xiJL4BKNOM+R8D4vfUv6SWru4tlspT1222RoBkKdOIqLHRpODTc5wNe
Ki0zmwfw69zMMJb8OfgSiz03334TNSOKTGzm6m60C7L6eQgEXTB06YpXLvl64Y4T
u0Y8Jv+Ip40FEuieuHuPL2jRZ41vFMeYvoCH1rN7t2PqonxVnBICyksFiym1Dluj
dqWofBBTm6o1eWBJ90Jf3SGK9FyCfK8ZPJaoJbUNPiYevPILbETI0l8MsAfYSHxG
PaRwzr8Lit3US+GjkbVxxzuljXlCId3YIv0ublY4D7vJiR9dPlTPqIJFZOTh7UnZ
pEsxiG7hYcF21anUTEIHxSGPvd8CvHbPyKTaKrmClMSgbn0C1taiPAd2BmiLQHdp
sTU29KAgkBUcvFoAM5SbpOPDE+eKHAOH45OziAsiv96PZh+R5nh8UUZE3SxbH7eu
LHJLHUBM94VaaipYyCTbueoX0KMIaJlQ6bS2GifhZYUe8ByCgXNBiCK61C3bpfuk
pjMOixaCGVnr/ZivzebxLOJH9URibID8HbRvUhvaypcwOH5loOGVCzq6eNy5gzIs
NeMbW1J7oIcWasB3LdDsBG5/FkBBK6y1MbdpRj00o9i/oZ8TEmdFo8CJJ/b+4i7r
UV7F+X2C1wLoEUofn2cn
=sUSV
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Dec 2013 07:29:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:55:43 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon