Debian Bug report logs -
#926348
ruby-devise: CVE-2019-5421
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#926348; Package src:ruby-devise.
(Wed, 03 Apr 2019 21:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Wed, 03 Apr 2019 21:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-devise
Version: 4.5.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/plataformatec/devise/issues/4981
Hi,
The following vulnerability was published for ruby-devise.
CVE-2019-5421[0]:
| Plataformatec Devise version 4.5.0 and earlier, using the lockable
| module contains a CWE-367 vulnerability in The
| `Devise::Models::Lockable` class, more specifically at the
| `#increment_failed_attempts` method. File location:
| lib/devise/models/lockable.rb that can result in Multiple concurrent
| requests can prevent an attacker from being blocked on brute force
| attacks. This attack appear to be exploitable via Network connectivity
| - brute force attacks. This vulnerability appears to have been fixed
| in 4.6.0 and later.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-5421
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5421
[1] https://github.com/plataformatec/devise/issues/4981
[2] https://github.com/plataformatec/devise/pull/4996
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 08 Apr 2019 19:45:02 GMT) (full text, mbox, link).
Reply sent
to Utkarsh Gupta <guptautkarsh4102@gmail.com>:
You have taken responsibility.
(Tue, 21 May 2019 20:42:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 21 May 2019 20:42:08 GMT) (full text, mbox, link).
Message #12 received at 926348-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-devise
Source-Version: 4.5.0-3
We believe that the bug you reported is fixed in the latest version of
ruby-devise, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 926348@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <guptautkarsh4102@gmail.com> (supplier of updated ruby-devise package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 22 May 2019 00:38:15 +0530
Source: ruby-devise
Architecture: source
Version: 4.5.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <guptautkarsh4102@gmail.com>
Closes: 926348
Changes:
ruby-devise (4.5.0-3) unstable; urgency=medium
.
* Team upload
* Add patch to fix CVE-2019-5421 (Fixes: CVE-2019-5421) (Closes: #926348)
Checksums-Sha1:
81fed3f15c54cf0b4001af3d4c27a607ce71b3bf 2293 ruby-devise_4.5.0-3.dsc
12798adf678a32bb68d9392201748e00b78d43bf 4232 ruby-devise_4.5.0-3.debian.tar.xz
262ea0a5a661cc679b1b38668bbd7ce081afc21d 13048 ruby-devise_4.5.0-3_amd64.buildinfo
Checksums-Sha256:
205dfac66ba65ddc86d644f954c982af180dac029a382c469b7c5572f997db20 2293 ruby-devise_4.5.0-3.dsc
3bb0e12297c80682db9dfb1e01c7c37593ac13aa7bea27f7e5ea886487e2ae0d 4232 ruby-devise_4.5.0-3.debian.tar.xz
b3bafaf6f05e30f59ff57d00ba58d92c942f59f6ef0f0928964dd0a7f4808249 13048 ruby-devise_4.5.0-3_amd64.buildinfo
Files:
a9fc7ba92b817ebc3e043bc1c400371a 2293 ruby optional ruby-devise_4.5.0-3.dsc
5e509350b8e1402a326ec62c05e2102e 4232 ruby optional ruby-devise_4.5.0-3.debian.tar.xz
32732634e58b5043aa483a2b3c7e3cbb 13048 ruby optional ruby-devise_4.5.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCAA5FiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAlzkVXobHGd1cHRhdXRr
YXJzaDIxMDJAZ21haWwuY29tAAoJEII+lnYGw0uWwVYP/AmP8a/GOSfMAo/v3u+X
QsaX5w0VpIbzLXx9kyHrVdvKIWoRVWyyDUOf7aegHRveEnzk2laeMb9YGrwpS3/D
zBDQsuNeIvDghYz40/vIg2pTdZpZgxtjovi16twrSlKP6GJG8jfOGqMZ/rdNsMSz
VyMsNrRR9iJ3we8OMLTGdCSZOPf54qKpsnlBcvjncSjbamzVvq8L1+Kgxc/SmR2x
cNsAO8ri7B4E7a7Dxej+NO3Wy6RECTAd0bN7FBY4SRNaL5PkDNruHlFWTHqUFJwO
TOj1bv5N+mYcFjUxqA+PazJnq5VpNoPuN6/3FWmHE2jHPFU61UAVnyYAKrTGtZqb
L8V0lbzNcUtZ0TgmSEtA03YVT8H5Q1pFaqKV8YbPchhA95rGu42ApUJelRQew9kJ
H8PobwMz6j3/5bgYlb1kEwie5A8OVxAUpJvDunL21EID7x3cT/Ac2a+bv0Obtp8G
pOeiy+oF8HYrJnUUJeQXexYGh6zca5dsTfv8TzTZKegdmgizS3M1XPFOLTJxMx9q
yLZLG1i9sJn96oUt2zUwN6bKT+XLTJtRw9ToZnLXUoutUKM212Yw99c1u+bXNoLj
+nNADh4izG83kEa7kYCvdlXTRPR+qaqTuXWGGSRrLzvCrBijUgcnuktpY/5fNwCR
7dQIRLVkPNW/fcmfHouoAoX7
=TAA/
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:46:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon