Debian Bug report logs -
#698440
ruby-rack: CVE-2012-6109 CVE-2013-0184 CVE-2013-0183
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 18 Jan 2013 15:00:02 UTC
Severity: grave
Tags: security
Fixed in version ruby-rack/1.4.1-2.1
Done: KURASHIKI Satoru <lurdan@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack.
(Fri, 18 Jan 2013 15:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Fri, 18 Jan 2013 15:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ruby-rack
Severity: grave
Tags: security
Justification: user security hole
Please see these links for details:
http://seclists.org/oss-sec/2013/q1/80
http://seclists.org/oss-sec/2013/q1/83
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack.
(Sat, 19 Jan 2013 21:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Youhei SASAKI <uwabami@gfd-dennou.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sat, 19 Jan 2013 21:21:04 GMT) (full text, mbox, link).
Message #10 received at 698440@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear team member:
(Cc: BTS, security team)
I created cherry-picked patches from upstream, in order to fix these CVE
issues and commit team git repository. Please review for upload.
Vcs-Git: git://git.debian.org/pkg-ruby-extras/ruby-rack.git
Vcs-Browser: http://git.debian.org/?p=pkg-ruby-extras/ruby-rack.git;a=summary
BTW, I don't know these issues affect stable packages,
librack-ruby{,1.8,1.9.1}, ver. 1.1.0-4.
# We have dropped them from SVN repos. Thus we should import them into
# team Git repos.
P.S. Thanks Moritz!
At 18 Jan 2013 15:55:23 +0100,
"Moritz Muehlenhoff" <jmm@inutil.org> wrote:
>
> Package: ruby-rack
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see these links for details:
> http://seclists.org/oss-sec/2013/q1/80
> http://seclists.org/oss-sec/2013/q1/83
>
Best Wishes,
- ---
Youhei SASAKI <uwabami@gfd-dennou.org>
<uwabami@debian.or.jp>
GPG fingerprint:
4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJQ+wxnAAoJEJOU81SJHX4HrewP/3goc7fyxCGG4o8ZoECNjV7Z
zCKE/ya6aRVqvcFEBbSrvo/nh+QZdmMbLb2mu68PV8iEdsa7zYuxH+uGMv5brckN
ST4dOAyUIfAvTBfusgsIDZaJWkOI/5w5t6Cv3hEr5wbBikvkyee40xCrkDklYoU3
Y0/rSsjoIf5CUQwZ9XrSVbf5Z/Jy1RY9mXCJOygQXRwztYPbO8hawO2sv73MQM4W
stTViWues7IgnjAEDPrtYOU3d35bx0MgDwfxcqXr9nDIz6TsnCX34FNiWl9Zw4Lc
6sJhUVKpCImTTwaHSRtvg/HWH75L+qLh6W8isscyh4qR3ZfFRmMgjPcm9Y/X56LI
0KPUuwuQQkOi6dgyY8jR6fk03Bwh4KpnJWfwUvPYHQX9IF5iRJbsfKuyqrqs2HQC
Sv5xrp0eedoxs7Jh9hq4MMAwioM6r3/KtYUB0gyc4/6GxiPnLwGJtH3jcphCjju6
BFyNRVsBc9oS/sH4Npor7Urr7KsMo8SeSmoJLPbqVwPVfbDLgL2LFOr5d3RLXqlU
efJ2XxtIRqPMkzWoBZlWdKoxp3eQ08AMSeRhgJR+7ZG0+j7biSuM2nhRtF1AhVDp
rq3mUzfBQi7MEw4cSFoGHIZVXj5SIX8Mlhou1si5OAww8qbPPx36HvNbxBDXoD4l
EHLfuZ4hvyyg+0DVwtJi
=u1mW
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack.
(Mon, 21 Jan 2013 23:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Mon, 21 Jan 2013 23:39:03 GMT) (full text, mbox, link).
Message #15 received at 698440@bugs.debian.org (full text, mbox, reply):
Hi,
On Sun, Jan 20, 2013 at 6:13 AM, Youhei SASAKI <uwabami@gfd-dennou.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Dear team member:
> (Cc: BTS, security team)
>
> I created cherry-picked patches from upstream, in order to fix these CVE
> issues and commit team git repository. Please review for upload.
Looks good to me.
>
> Vcs-Git: git://git.debian.org/pkg-ruby-extras/ruby-rack.git
> Vcs-Browser: http://git.debian.org/?p=pkg-ruby-extras/ruby-rack.git;a=summary
>
> BTW, I don't know these issues affect stable packages,
> librack-ruby{,1.8,1.9.1}, ver. 1.1.0-4.
I seem to need 0003-Reimplement-auth-scheme-fix.patch.
Please consult about this to security team.
>
> # We have dropped them from SVN repos. Thus we should import them into
> # team Git repos.
>
> P.S. Thanks Moritz!
>
> At 18 Jan 2013 15:55:23 +0100,
> "Moritz Muehlenhoff" <jmm@inutil.org> wrote:
>>
>> Package: ruby-rack
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Please see these links for details:
>> http://seclists.org/oss-sec/2013/q1/80
>> http://seclists.org/oss-sec/2013/q1/83
>>
>
> Best Wishes,
> - ---
> Youhei SASAKI <uwabami@gfd-dennou.org>
> <uwabami@debian.or.jp>
> GPG fingerprint:
> 4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQIcBAEBCgAGBQJQ+wxnAAoJEJOU81SJHX4HrewP/3goc7fyxCGG4o8ZoECNjV7Z
> zCKE/ya6aRVqvcFEBbSrvo/nh+QZdmMbLb2mu68PV8iEdsa7zYuxH+uGMv5brckN
> ST4dOAyUIfAvTBfusgsIDZaJWkOI/5w5t6Cv3hEr5wbBikvkyee40xCrkDklYoU3
> Y0/rSsjoIf5CUQwZ9XrSVbf5Z/Jy1RY9mXCJOygQXRwztYPbO8hawO2sv73MQM4W
> stTViWues7IgnjAEDPrtYOU3d35bx0MgDwfxcqXr9nDIz6TsnCX34FNiWl9Zw4Lc
> 6sJhUVKpCImTTwaHSRtvg/HWH75L+qLh6W8isscyh4qR3ZfFRmMgjPcm9Y/X56LI
> 0KPUuwuQQkOi6dgyY8jR6fk03Bwh4KpnJWfwUvPYHQX9IF5iRJbsfKuyqrqs2HQC
> Sv5xrp0eedoxs7Jh9hq4MMAwioM6r3/KtYUB0gyc4/6GxiPnLwGJtH3jcphCjju6
> BFyNRVsBc9oS/sH4Npor7Urr7KsMo8SeSmoJLPbqVwPVfbDLgL2LFOr5d3RLXqlU
> efJ2XxtIRqPMkzWoBZlWdKoxp3eQ08AMSeRhgJR+7ZG0+j7biSuM2nhRtF1AhVDp
> rq3mUzfBQi7MEw4cSFoGHIZVXj5SIX8Mlhou1si5OAww8qbPPx36HvNbxBDXoD4l
> EHLfuZ4hvyyg+0DVwtJi
> =u1mW
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Pkg-ruby-extras-maintainers mailing list
> Pkg-ruby-extras-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
Best regards,
Nobuhiro
--
Nobuhiro Iwamatsu
iwamatsu at {nigauri.org / debian.org}
GPG ID: 40AD1FA6
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack.
(Sat, 26 Jan 2013 16:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Youhei SASAKI <uwabami@gfd-dennou.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sat, 26 Jan 2013 16:03:03 GMT) (full text, mbox, link).
Message #20 received at 698440@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
At 22 Jan 2013 08:36:22 +0900,
"Nobuhiro Iwamatsu" <iwamatsu@nigauri.org> wrote:
>
> Looks good to me.
Thank you for your review. I'll upload it.
> > BTW, I don't know these issues affect stable packages,
> > librack-ruby{,1.8,1.9.1}, ver. 1.1.0-4.
>
> I seem to need 0003-Reimplement-auth-scheme-fix.patch.
> Please consult about this to security team.
Ok.
Best Wishes,
Youhei
- ---
Youhei SASAKI <uwabami@gfd-dennou.org>
<uwabami@debian.or.jp>
GPG fingerprint:
4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJRA/3rAAoJEJOU81SJHX4H1eAP/i5PXQptLxUI/zHxep9s0vPc
Q3bFOS3dA+52q/kjHwOBEagP0/L3Z11+nn84bqgH4TxnQrCB1dOgb3rWNMy8fNPT
osP3YWpDEmmzdBfcqMGHd7N/L43TxKypUfKKSZZo8FY7xxdeAN9yjkEV0M/DUm2l
TA4HK9j2ozDxCDTEvY9PtZyKyAGBpEBL+1J6SGDxDpyQe0isQLlU5c/t80sxhneK
QJ9XYNlbz8afNqaFwvQ6A3c/LvMpvuw8DsvqarWIpzxF0BlY55EwCikMuA9KkFfw
JhS9BbquJWea/tPT2iiT2KiQIfuDjy9Grn69eVwUKf8jrSH9b6GwWthZp8drmYXW
/ay+skFkhohtKnT0tI2zRRlSgBtGevgmEzNS+6g7rGYw6iMszLKuN8Xn0FYjm5Hl
Oi/lM/wNaSc1s/+aA2GwS6nUAwdfjC9r6TTsPVdpbdKAxcwYDdsatZYKEdGWw7TW
6WR+DgblbDF3J5FgFcWW21HZan/t2MAX0Bs35ljsi00fu/Khkf4W5RVVd3tl+Bsd
wSNblF4+kZL3vG4ixcA0BbWyc70z8AqN8HZfAXhidJoMg7gKy3dRHCm/oEWGrFHb
OQ2NgZuEBP9MIjQyQxvyoEuuh85yWWdxcm1J/YmN+quqIuaZ2uEqCP1TnyQLJ8B5
9JxXmtC7ixyT3VxOGAZI
=YP9S
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack.
(Mon, 11 Feb 2013 04:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Satoru KURASHIKI <lurdan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Mon, 11 Feb 2013 04:39:03 GMT) (full text, mbox, link).
Message #25 received at 698440@bugs.debian.org (full text, mbox, reply):
hi,
(CC: pkg-ruby-extras-maintainers)
> > > BTW, I don't know these issues affect stable packages,
> > > librack-ruby{,1.8,1.9.1}, ver. 1.1.0-4.
> >
> > I seem to need 0003-Reimplement-auth-scheme-fix.patch.
> > Please consult about this to security team.
>
> Ok.
I prepared a patch for stable version (with acknowledgement of the maintainer).
Please audit it, after that I will prepare NMU for this (with #70026).
prepared patch as follows:
--- a/lib/rack.rb 2013-02-11 02:31:24.375449225 +0000
+++ b/lib/rack.rb 2013-02-11 02:33:48.735596653 +0000
@@ -71,6 +71,18 @@ module Rack
autoload :Params, "rack/auth/digest/params"
autoload :Request, "rack/auth/digest/request"
end
+
+ # Not all of the following schemes are "standards", but they are
used often.
+ @schemes = %w[basic digest bearer mac token oauth oauth4]
+
+ def self.add_scheme scheme
+ @schemes << scheme
+ @schemes.uniq!
+ end
+
+ def self.schemes
+ @schemes.dup
+ end
end
module Session
--- a/lib/rack/auth/abstract/request.rb 2013-02-11 02:36:39.864688680 +0000
+++ b/lib/rack/auth/abstract/request.rb 2013-02-11 02:39:02.948692080 +0000
@@ -15,7 +15,11 @@
end
def scheme
- @scheme ||= parts.first.downcase.to_sym
+ @scheme ||=
+ begin
+ s = parts.first.downcase
+ Rack::Auth.schemes.include?(s) ? s.to_sym : s
+ end
end
def params
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ b/test/spec_auth.rb 2013-02-11 02:28:44.635615432 +0000
@@ -0,0 +1,57 @@
+require 'rack'
+
+describe Rack::Auth do
+ it "should have all common authentication schemes" do
+ Rack::Auth.schemes.should.include? 'basic'
+ Rack::Auth.schemes.should.include? 'digest'
+ Rack::Auth.schemes.should.include? 'bearer'
+ Rack::Auth.schemes.should.include? 'token'
+ end
+
+ it "should allow registration of new auth schemes" do
+ Rack::Auth.schemes.should.not.include "test"
+ Rack::Auth.add_scheme "test"
+ Rack::Auth.schemes.should.include "test"
+ end
+end
+
+describe Rack::Auth::AbstractRequest do
+ it "should symbolize known auth schemes" do
+ env = Rack::MockRequest.env_for('/')
+ env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
+ req = Rack::Auth::AbstractRequest.new(env)
+ req.scheme.should == :basic
+
+
+ env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
+ req = Rack::Auth::AbstractRequest.new(env)
+ req.scheme.should == :digest
+
+ env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
+ req = Rack::Auth::AbstractRequest.new(env)
+ req.scheme.should == :bearer
+
+ env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
+ req = Rack::Auth::AbstractRequest.new(env)
+ req.scheme.should == :mac
+
+ env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
+ req = Rack::Auth::AbstractRequest.new(env)
+ req.scheme.should == :token
+
+ env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
+ req = Rack::Auth::AbstractRequest.new(env)
+ req.scheme.should == :oauth
+
+ env['HTTP_AUTHORIZATION'] = 'OAuth4 aXJyZXNwb25zaWJsZQ=='
+ req = Rack::Auth::AbstractRequest.new(env)
+ req.scheme.should == :oauth4
+ end
+
+ it "should not symbolize unknown auth schemes" do
+ env = Rack::MockRequest.env_for('/')
+ env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
+ req = Rack::Auth::AbstractRequest.new(env)
+ req.scheme.should == "magic"
+ end
+end
regards,
--
KURASHIKI Satoru
Reply sent
to KURASHIKI Satoru <lurdan@gmail.com>:
You have taken responsibility.
(Wed, 27 Feb 2013 08:51:12 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Wed, 27 Feb 2013 08:51:12 GMT) (full text, mbox, link).
Message #30 received at 698440-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-rack
Source-Version: 1.4.1-2.1
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 698440@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
KURASHIKI Satoru <lurdan@gmail.com> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 20 Feb 2013 20:56:31 +0900
Source: ruby-rack
Binary: ruby-rack librack-ruby1.9.1 librack-ruby1.8 librack-ruby
Architecture: source all
Version: 1.4.1-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: KURASHIKI Satoru <lurdan@gmail.com>
Description:
librack-ruby - Transitional package for ruby-rack
librack-ruby1.8 - Transitional package for ruby-rack
librack-ruby1.9.1 - Transitional package for ruby-rack
ruby-rack - Modular Ruby webserver interface
Closes: 698440 700173
Changes:
ruby-rack (1.4.1-2.1) unstable; urgency=high
.
[ KURASHIKI Satoru ]
* Non-maintainer upload.
* Create cherry-picked patches for Security Fix (Closes: #700173 #700226).
- CVE-2013-0262: 0004-Prevent-symlink-path-traversals.patch
- CVE-2013-0263: 0005-Use-secure_compare-for-hmac-comparison.patch
.
[ Youhei SASAKI ]
* Create cherry-picked patches for Security Fix (Closes: #698440).
- CVE-2012-6109: 0001-Fix-parsing-performance-for-unquoted-filenames.patch
- CVE-2013-0183: 0002-multipart-parser-avoid-unbounded-gets-method.patch
- CVE-2013-0184: 0003-Reimplement-auth-scheme-fix.patch
Checksums-Sha1:
9a3d309ba4a5e28c4704bdfe4b9ef3f0c59683ac 2296 ruby-rack_1.4.1-2.1.dsc
6af3e111e057eb2bce94f84c0a1ba178f2554a46 10188 ruby-rack_1.4.1-2.1.debian.tar.gz
792c22ac4c9749809bd6ef9898ae067c50e78081 82104 ruby-rack_1.4.1-2.1_all.deb
0dd02e0fff3e0272c99fc54d9e71f6a7289e08f5 4062 librack-ruby1.9.1_1.4.1-2.1_all.deb
e4db038dfa727071b9164bde1683271a2af9d685 4062 librack-ruby1.8_1.4.1-2.1_all.deb
4551ba38658cd22f2ea6477e6ebe48c19445a9c8 4054 librack-ruby_1.4.1-2.1_all.deb
Checksums-Sha256:
5a862fc25cd10be8e1a6a995e9b3026b8b4c179f96f71fb0d82685adc0fd1d27 2296 ruby-rack_1.4.1-2.1.dsc
bde86e2666452bab7366eb9795975d51c559bc53791fefedbcfd53c55777d4cd 10188 ruby-rack_1.4.1-2.1.debian.tar.gz
cea57d69381165645821e448805bab849116debc7ebd4d311dcb29ca8218995c 82104 ruby-rack_1.4.1-2.1_all.deb
93c466d51d6a045a178e7a943ee7a1a2911b315bb9a152e3d64cdf0a4a738521 4062 librack-ruby1.9.1_1.4.1-2.1_all.deb
68634886631f95701cac203a844d66778504dbf487fba894b44132dc09e395e4 4062 librack-ruby1.8_1.4.1-2.1_all.deb
8ba9cbc2c956f13cd0ddb990bc730d674fa6c011415e081601c91e046c06d6a9 4054 librack-ruby_1.4.1-2.1_all.deb
Files:
5a8aec59ccabd8a6c1a46e48dc809a95 2296 ruby optional ruby-rack_1.4.1-2.1.dsc
0504150d496de77471904eb97f398dec 10188 ruby optional ruby-rack_1.4.1-2.1.debian.tar.gz
e51a35b0965eefc77a76a99e757cafab 82104 ruby optional ruby-rack_1.4.1-2.1_all.deb
c1ed80cb81d4860df8f25ef4ef5fbcbd 4062 oldlibs extra librack-ruby1.9.1_1.4.1-2.1_all.deb
5c2f366fb42573ecd4c5da8aede17c02 4062 oldlibs extra librack-ruby1.8_1.4.1-2.1_all.deb
e926fa8545dad99397b6a90ac96d4f60 4054 oldlibs extra librack-ruby_1.4.1-2.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJRLb3wAAoJEDIkf7tArR+mlmQP/35GAzLhoWXOzzxIL5qO/XRq
vUSLSq2Qm9+OBED3hpzxTLsGRwjwsSPov9Scefn5g/qy6c9xEAbfXqBSwo7zzvfv
sH6DeCPcBuRNxO7Ynx+zrnGDmOmWmIJBKWvsPsAIp6KF7eWfgxKmiWhjce0OETgw
YNbgfDrskargQIwWq8u4TPv0A2oS7dE3sQbxKP6Ecp3PP+mQOl9oziu99b8iaU1a
4LlTohjMaB8MjgXKm6exuBpb+GDUvt8q/W9S3d9a9qQf0DyDX3yZwPuZhjirdw2a
yhFtr+h73HTGybhGmslFjGoAdKdu0Sj+6XaFM3/bEjPvIIa/H3VGzU61D2msrFnN
YuVq2Ta2HTVIjuD8h/AGMKUXB3Q9qz0O8sYOx1T9HgkehewlVGc4h7CJjaooc609
7iN7B6grHf5U6MAXL5708jqNQNSa1uTL9WJM7SPvAxBPmtPnnrdnofigNqCx3niG
k5Gze8H2QrHGle3Ri25nQcA4PNPJug5d+Q/P5ZnT1KWFgDY6AKYr0cyWYCavQrUL
vRdPZnMi3w8fGL2ILEwy/kQmqo7gEoHtIwMg7SQDrgA0+2uoShxkvLL1FUVuujWA
n1A0SLi0eDaTI0M+gQ7iwcJXWfHsY64xFEGUHcvMGfPft/atBbblyEDrvkUopM2C
Nc6RYYRb8+Qrn/lJO4yE
=gjB6
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack.
(Thu, 07 Mar 2013 11:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Satoru KURASHIKI <lurdan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Thu, 07 Mar 2013 11:21:03 GMT) (full text, mbox, link).
Message #35 received at 698440@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
dear security team,
On Mon, Feb 11, 2013 at 1:24 PM, Satoru KURASHIKI <lurdan@gmail.com> wrote:
> I've contacted Youhei SASAKI (maintainer of ruby-rack, successor of
> librack-ruby),
> and acknowledged about preparing NMU for this bug.
>
> Please audit this patch, after that I will prepare NMU for squeeze.
> (and after that t-p-u, unstable, ...)
I've created a NMU debdiff for stable, which includes these fixes:
#698440 (CVE-2013-0184)
#700226 (CVE-2013-0263)
These are already applied in unstable/testing.
Please consider to update stable version of librack-ruby with
attached debdiff to close those CVE issues.
regards,
--
KURASHIKI Satoru
[librack-ruby_s-p-u.debdiff (application/octet-stream, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 05 Apr 2013 07:27:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:19:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon