Debian Bug report logs -
#924747
ruby-doorkeeper-openid-connect: CVE-2019-9837
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#924747; Package src:ruby-doorkeeper-openid-connect.
(Sat, 16 Mar 2019 20:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sat, 16 Mar 2019 20:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-doorkeeper-openid-connect
Version: 1.5.2-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/61
Hi,
The following vulnerability was published for ruby-doorkeeper-openid-connect.
CVE-2019-9837[0]:
| Doorkeeper::OpenidConnect (aka the OpenID Connect extension for
| Doorkeeper) 1.4.x and 1.5.x before 1.5.4 has an open redirect via the
| redirect_uri field in an OAuth authorization request (that results in
| an error response) with the 'openid' scope and a prompt=none value.
| This allows phishing attacks against the authorization flow.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9837
[1] https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/61
[2] https://github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/66
Regards,
Salvatore
Reply sent
to Utkarsh Gupta <guptautkarsh4102@gmail.com>:
You have taken responsibility.
(Sun, 24 Mar 2019 12:09:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 24 Mar 2019 12:09:05 GMT) (full text, mbox, link).
Message #10 received at 924747-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-doorkeeper-openid-connect
Source-Version: 1.5.5-1
We believe that the bug you reported is fixed in the latest version of
ruby-doorkeeper-openid-connect, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 924747@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <guptautkarsh4102@gmail.com> (supplier of updated ruby-doorkeeper-openid-connect package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 24 Mar 2019 16:22:22 +0530
Source: ruby-doorkeeper-openid-connect
Binary: ruby-doorkeeper-openid-connect
Architecture: source
Version: 1.5.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <guptautkarsh4102@gmail.com>
Description:
ruby-doorkeeper-openid-connect - OpenID Connect extension for Doorkeeper
Closes: 924747
Changes:
ruby-doorkeeper-openid-connect (1.5.5-1) unstable; urgency=medium
.
* Team upload
* New upstream version 1.5.5 (Fixes: CVE-2019-9837) (Closes: #924747)
* Update d/watch to point GitHub
* Bump Standards-Version to 4.3.0 (no changes needed)
* Fix insecure URL
Checksums-Sha1:
acc41853f821d4abcbb8700aea6accaf180dcaae 2296 ruby-doorkeeper-openid-connect_1.5.5-1.dsc
7a54a103d1f39e033dad230ebaa7d50e379f122c 41327 ruby-doorkeeper-openid-connect_1.5.5.orig.tar.gz
a58f264821761c6873aa4c42c9923f841a1fc474 2240 ruby-doorkeeper-openid-connect_1.5.5-1.debian.tar.xz
76290bf0a109ab7b15393923fbb537817ba78e15 8083 ruby-doorkeeper-openid-connect_1.5.5-1_source.buildinfo
Checksums-Sha256:
a3489327be91cf69716e79304e06ac81ee90db0dc4b0279a4d1c757b4cfa48b5 2296 ruby-doorkeeper-openid-connect_1.5.5-1.dsc
2a55352a36ed5e8fc67f8744f89b93ae3998e7b4368444616bed3562eeb93af7 41327 ruby-doorkeeper-openid-connect_1.5.5.orig.tar.gz
31155c26b77da4f8b540a820a347e6f167d2284ecf0c597c19513e7cf8178fd5 2240 ruby-doorkeeper-openid-connect_1.5.5-1.debian.tar.xz
d11711c8068342ebf50b97278fcc0971ec6918e0bbe19caa6bdb555d28b786cf 8083 ruby-doorkeeper-openid-connect_1.5.5-1_source.buildinfo
Files:
a68b49d8a14d6338aacd5f2bb69a88c6 2296 ruby optional ruby-doorkeeper-openid-connect_1.5.5-1.dsc
5a855e5c4867b7946d02d17612c32380 41327 ruby optional ruby-doorkeeper-openid-connect_1.5.5.orig.tar.gz
22386a7247a4779c6328d1c405ec55f7 2240 ruby optional ruby-doorkeeper-openid-connect_1.5.5-1.debian.tar.xz
6b3162f1953fae3005141d3b32b71bb6 8083 ruby optional ruby-doorkeeper-openid-connect_1.5.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlyXbHUACgkQzh+cZ0US
wioCIRAAnWUm0kDM6sGP/ZPAHW+/xxY1W14MrWGP4wKnTKywli8l0IdEen3XmYGP
AjHmeepQjDefKgfdCaJbS8Q89TufTb37ihCaZhV2NDSae6a3B+hi91oElPCK5Vri
/ad4UhqmG3nkNe1/HlhP5C3I1c2qoXZff9TVHiwIGJsfA492NNZI/bvEUBX+P/hm
uOn4jz3X1a3SW/envtFcB0yo6F+lZWdlQO8Ctscgm+/VXE3AvueVdb55T1BPn2pu
BF1yepZf96mZXhnchiip8IERG523HA2BIO2heQXZN4gZmUmXNO1udwj66Rigu7aV
IdIdZABugyDaqIMvrWMTBuXSDQAAs/rjE1sSLb5deG6700wdbmYSJJmUq8WYvyJG
2zmQgYFUGXncTv9dGtA1QyBwPrQyisJWGoQzBO3Ltx6E2aGHgm74TPsDDY+B66BX
/lUwQdCiEmmwebwkqFKduCgaCcQ3D0xlJwt0dGnwe/Ymxm70JtwwmFiwFSL98ztz
JfMMHe8U561L4v+yiFxYMugJwwV2Kdkk3yW3HHiZXTL21Qj84qdOCIFyw6RPjgFM
EUr7RkRlSIr1md+TwhYYN/cjIq9QqMuhNdcPLgorOS9YZoBplCftzB51vZ77iqP0
RDjq5KaGc+SJPYEOW4yWFP0R+0AlB7FjOVJgllSuOfUQ9XWar1I=
=kQ/i
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 25 Apr 2019 07:27:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:40:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon