Debian Bug report logs -
#653963
ruby-rack predictable hash collisions
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Sun, 1 Jan 2012 22:54:08 UTC
Severity: serious
Tags: security
Fixed in version ruby-rack/1.4.0-1
Done: Paul van Tilburg <paulvt@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#653963; Package ruby-rack.
(Sun, 01 Jan 2012 22:54:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sun, 01 Jan 2012 22:54:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: ruby-rack
Severity: serious
Tags: security
Hi,
It was reported that Rack is affected by the predictable hash collisions
attack that made its rounds around the net this week. This is tracked at
http://security-tracker.debian.org/tracker/CVE-2011-5036
Can you ensure that fixed packages are uploaded to sid as soon as possible?
Cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Paul van Tilburg <paulvt@debian.org>:
You have taken responsibility.
(Tue, 03 Jan 2012 22:12:04 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Tue, 03 Jan 2012 22:12:04 GMT) (full text, mbox, link).
Message #10 received at 653963-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-rack
Source-Version: 1.4.0-1
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive:
librack-ruby1.8_1.4.0-1_all.deb
to main/r/ruby-rack/librack-ruby1.8_1.4.0-1_all.deb
librack-ruby1.9.1_1.4.0-1_all.deb
to main/r/ruby-rack/librack-ruby1.9.1_1.4.0-1_all.deb
librack-ruby_1.4.0-1_all.deb
to main/r/ruby-rack/librack-ruby_1.4.0-1_all.deb
ruby-rack_1.4.0-1.debian.tar.gz
to main/r/ruby-rack/ruby-rack_1.4.0-1.debian.tar.gz
ruby-rack_1.4.0-1.dsc
to main/r/ruby-rack/ruby-rack_1.4.0-1.dsc
ruby-rack_1.4.0-1_all.deb
to main/r/ruby-rack/ruby-rack_1.4.0-1_all.deb
ruby-rack_1.4.0.orig.tar.gz
to main/r/ruby-rack/ruby-rack_1.4.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 653963@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul van Tilburg <paulvt@debian.org> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 03 Jan 2012 22:39:13 +0100
Source: ruby-rack
Binary: ruby-rack librack-ruby1.9.1 librack-ruby1.8 librack-ruby
Architecture: source all
Version: 1.4.0-1
Distribution: unstable
Urgency: low
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Paul van Tilburg <paulvt@debian.org>
Description:
librack-ruby - Transitional package for ruby-rack
librack-ruby1.8 - Transitional package for ruby-rack
librack-ruby1.9.1 - Transitional package for ruby-rack
ruby-rack - Modular Ruby webserver interface
Closes: 653963
Changes:
ruby-rack (1.4.0-1) unstable; urgency=low
.
* New upstream release (closes: #653963).
Checksums-Sha1:
bcd3dd59d61818b391ecef310ad3a7b4679437fd 1598 ruby-rack_1.4.0-1.dsc
2825921318a8b4609cb3421a49afb460cf70b7cf 167513 ruby-rack_1.4.0.orig.tar.gz
a9a55fe75f27bd35ddb1dfe90ad350403183dbfc 4944 ruby-rack_1.4.0-1.debian.tar.gz
48f91127350bee9f203d13d6ed1c56ff737719a8 79832 ruby-rack_1.4.0-1_all.deb
cb022c1ce17f61f104a54ad9be89e1d8f3ff97c2 3580 librack-ruby1.9.1_1.4.0-1_all.deb
77531182b9eca8c17d78dfce6630a4da515e35d9 3574 librack-ruby1.8_1.4.0-1_all.deb
73a12be78bf527f61007587299c6d47c6234ea12 3568 librack-ruby_1.4.0-1_all.deb
Checksums-Sha256:
fa78cb86ae36562bd1fa9b98fc6570bf654d0b8de20384af3fa91fdbfc355fc6 1598 ruby-rack_1.4.0-1.dsc
36dac4972d3ada61d6194955a33e60928c37ad3e29c1a0325ee821e229564b74 167513 ruby-rack_1.4.0.orig.tar.gz
69e1c16730031491862743f8881f3b34dd20656dbf06df51d6e5111f96dc7b39 4944 ruby-rack_1.4.0-1.debian.tar.gz
31c79b5cbf7f00804599e954e783996211a8f9195201d2cc18bca4661c071de8 79832 ruby-rack_1.4.0-1_all.deb
d7795822d70c5b07dae0e5957c46b0782606a22501fcb3e25b67808d02fbbfc3 3580 librack-ruby1.9.1_1.4.0-1_all.deb
3b107b65464f592041aa9f73e1fcf473fd9b2999c7ccba80c2dbca4e29d769ff 3574 librack-ruby1.8_1.4.0-1_all.deb
479fdffa854fddf4e2e727b5a1afc918b717388bc2e62e4a9235f59bfe3ce7e1 3568 librack-ruby_1.4.0-1_all.deb
Files:
aba47141b8066dc1ef0c933fceea54c3 1598 ruby optional ruby-rack_1.4.0-1.dsc
6dd2c1ce9008972001abe8d18456881a 167513 ruby optional ruby-rack_1.4.0.orig.tar.gz
781c47bb03e15615b85aab662ea03713 4944 ruby optional ruby-rack_1.4.0-1.debian.tar.gz
198c85d38461b45dbeb0ab407b90f71f 79832 ruby optional ruby-rack_1.4.0-1_all.deb
2c0812903bad56273e1c9aacfc3ce294 3580 oldlibs extra librack-ruby1.9.1_1.4.0-1_all.deb
b713016611fca252002901ca287a564b 3574 oldlibs extra librack-ruby1.8_1.4.0-1_all.deb
e31bab2d520043172fd40513219ad41f 3568 oldlibs extra librack-ruby_1.4.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk8DeTgACgkQJBBhylAGQYEEtwCfUhftFA7dSwR/WDersJWm6WTH
JJAAn2t0yXVBe8S3mQ6oVStCDyVsRlh4
=wvPt
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#653963; Package ruby-rack.
(Wed, 04 Jan 2012 10:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Wed, 04 Jan 2012 10:18:20 GMT) (full text, mbox, link).
Message #15 received at 653963@bugs.debian.org (full text, mbox, reply):
Hi Paul,
On Tue, January 3, 2012 23:12, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the ruby-rack package:
>
> #653963: ruby-rack predictable hash collisions
>
> It has been closed by Paul van Tilburg <paulvt@debian.org>.
Thanks. It's not obvious to me however how/that this release addresses the
problem. Can you elaborate?
thanks,
Thijs
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 11 Feb 2012 07:38:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:04:56 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon