Debian Bug report logs -
#888523
ruby-omniauth: CVE-2017-18076: security issue in returning post parameters from session in callback phase
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 26 Jan 2018 18:03:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version ruby-omniauth/1.2.1-1
Fixed in versions ruby-omniauth/1.6.1-1, ruby-omniauth/1.3.1-2, ruby-omniauth/1.3.1-1+deb9u1, ruby-omniauth/1.2.1-1+deb8u1
Done: Pirate Praveen <praveen@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/omniauth/omniauth/pull/867
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#888523; Package src:ruby-omniauth.
(Fri, 26 Jan 2018 18:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Fri, 26 Jan 2018 18:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-omniauth
Version: 1.2.1-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://github.com/omniauth/omniauth/pull/867
Control: fixed -1 1.6.1-1
For tracking this security issue in ruby-omniauth:
> Request phase of omniauth store request.params in session which are
> later assigned in env of callback phase. According do docs we should
> only store query params but in this case both GET and POST params get
> stored. POST params can contain authenticity_token of application to
> protect form CSRF issues. We shouldn't leak such tokens from POST
> params.
https://github.com/omniauth/omniauth/pull/867
[A CVE has been requested]
Regards,
Salvatore
Marked as fixed in versions ruby-omniauth/1.6.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 26 Jan 2018 18:03:05 GMT) (full text, mbox, link).
Changed Bug title to 'ruby-omniauth: CVE-2017-18076: security issue in returning post parameters from session in callback phase' from 'ruby-omniauth: security issue in returning post parameters from session in callback phase'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Jan 2018 18:45:08 GMT) (full text, mbox, link).
Marked as fixed in versions ruby-omniauth/1.3.1-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 31 Jan 2018 09:48:06 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 31 Jan 2018 09:48:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 31 Jan 2018 09:48:07 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#888523.
(Wed, 31 Jan 2018 09:48:09 GMT) (full text, mbox, link).
Message #18 received at 888523-submitter@bugs.debian.org (full text, mbox, reply):
# did not contain bug closer
close 888523 1.3.1-2
thanks
Reply sent
to Pirate Praveen <praveen@debian.org>:
You have taken responsibility.
(Sat, 10 Feb 2018 21:06:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 10 Feb 2018 21:06:04 GMT) (full text, mbox, link).
Message #23 received at 888523-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-omniauth
Source-Version: 1.3.1-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
ruby-omniauth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 888523@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated ruby-omniauth package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 31 Jan 2018 12:37:09 +0530
Source: ruby-omniauth
Binary: ruby-omniauth
Architecture: source all
Version: 1.3.1-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
ruby-omniauth - flexible authentication system utilizing Rack middleware
Closes: 888523
Changes:
ruby-omniauth (1.3.1-1+deb9u1) stretch-security; urgency=high
.
* Fix security issue in returning post parameters from session in callback
phase (CVE-2017-18076) (Closes: #888523)
Checksums-Sha1:
48b2863c9bcf3b3869728e9de6e2ea3d0c910c54 2185 ruby-omniauth_1.3.1-1+deb9u1.dsc
b9dc5aefc26f8b032cca44b9979375492a9cd8a8 23759 ruby-omniauth_1.3.1.orig.tar.gz
0c8feedbd1f5aed1ec4f282d7f28eb6ae3cab289 4044 ruby-omniauth_1.3.1-1+deb9u1.debian.tar.xz
6783c72c9d5c3d45a67d246eb2e835a969c8cf7f 16516 ruby-omniauth_1.3.1-1+deb9u1_all.deb
e37a3c03e27d62c57e62cea4f4035dfca98a4180 7121 ruby-omniauth_1.3.1-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
7ce81369d68a0ed5adc631b2e8c61368cf7817fc175fb2133378f872079b0c9c 2185 ruby-omniauth_1.3.1-1+deb9u1.dsc
a5043cd38442600320cfd92672f9985be3dc556f51fef63989f46bc21d69aa9e 23759 ruby-omniauth_1.3.1.orig.tar.gz
a33fa6f2ab2ef413d1bfc10509b273b969c5b5617e0cdfbc30a4b5be9a95f2a8 4044 ruby-omniauth_1.3.1-1+deb9u1.debian.tar.xz
0c58b99acebe2cf026377dad32c08888f2bc3b33c3197b9850ec17fe5ae87e67 16516 ruby-omniauth_1.3.1-1+deb9u1_all.deb
8f0ae6e4528b60407fdd0cee1443866b94683210736dd0a27d99526dd4508427 7121 ruby-omniauth_1.3.1-1+deb9u1_amd64.buildinfo
Files:
4b741576721cc65a7f561caf30934afb 2185 ruby optional ruby-omniauth_1.3.1-1+deb9u1.dsc
07d67f917782dfca34943971ed32fda3 23759 ruby optional ruby-omniauth_1.3.1.orig.tar.gz
05b0fbd543964432bf2309ac316f355f 4044 ruby optional ruby-omniauth_1.3.1-1+deb9u1.debian.tar.xz
e8e592fe69e7f647c473ed54e3eb35d5 16516 ruby optional ruby-omniauth_1.3.1-1+deb9u1_all.deb
bc11b3476f190edb51a59ae51970c89f 7121 ruby optional ruby-omniauth_1.3.1-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlp76SIACgkQzh+cZ0US
wirSow//bmgr3/Gm7R/wC75ehTdnHvaAuhVVOosx3TZxfFAqqdNBr/OoLhgWMBjL
UDApITZ4P/O4yQDIEbwrHgr/rPUT312ta+6Xdii17SxGnb/Qnfcq+p/Ow50YE+zV
aTs2UVgE/aPQOiorzTgHgju8FLWEYLENJu8iuA55EeDh4bqI75Pnv6i6W7vGMjOV
8Y/9wzx28NkJ/j2MXXO4UJcdHCQEImlmnd1q25kOUo8Bw7ZMqcq/yE7w/6vwFGpg
j8n+OIBhVlH9gULBVmBFHwyIqdhIm7d9lmmtte3lFjJEhiUI2axrmrldvjdhrF9/
7P4V1ef1eBPkuAErkSCmLV+kEjZy+UOpFsLngj/Zi6RPKAR1akBI9ljD6Ud9Ud9A
1EVxG50qSZKsJFFpMwlLE5XmjiIRt8xvADxX43Sdi30HVFsjF7ezxiqe4m7AHYJJ
tmo2Y05N2T2ZSk9sTKk5dVMXIABzC7R0S4P6WX9nYwUoZ4A3C1fz3n4z/EB/I1Gl
Dhr7s6WlOtDtWZdFyiHiOCofr+IrmYf7VH5hrIRgZ1eVIlNNJ8mOcougL+2fckf2
FwznnE31ra8ba3ERUi3QmFmxCCZbUSPibWr4CuuXzPoOs9OOtmqZFuvXzz8TKlYb
uWYlMdAkWAfB4qI69d2c1zFHNrZFnlQ0+FnXCJT3H3vj360oG64=
=IkHT
-----END PGP SIGNATURE-----
Reply sent
to Pirate Praveen <praveen@debian.org>:
You have taken responsibility.
(Sat, 10 Feb 2018 21:12:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 10 Feb 2018 21:12:19 GMT) (full text, mbox, link).
Message #28 received at 888523-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-omniauth
Source-Version: 1.2.1-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
ruby-omniauth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 888523@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated ruby-omniauth package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 31 Jan 2018 15:25:20 +0530
Source: ruby-omniauth
Binary: ruby-omniauth
Architecture: source all
Version: 1.2.1-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
ruby-omniauth - flexible authentication system utilizing Rack middleware
Closes: 888523
Changes:
ruby-omniauth (1.2.1-1+deb8u1) jessie-security; urgency=high
.
* Fix security issue in returning post parameters from session in callback
phase (CVE-2017-18076) (Closes: #888523)
Checksums-Sha1:
48049ead9b160e0d05e867770490b6259e21afa8 2160 ruby-omniauth_1.2.1-1+deb8u1.dsc
03b73ae540baa254248631c48d345c4e84f06dfb 28163 ruby-omniauth_1.2.1.orig.tar.gz
3989b47011132569d598e08d273d2eaa7b8d1366 3580 ruby-omniauth_1.2.1-1+deb8u1.debian.tar.xz
99c27ab4694fc336a0776c8095d86c90798ae138 17310 ruby-omniauth_1.2.1-1+deb8u1_all.deb
Checksums-Sha256:
6b7cadcc597f1639541a709c1c83e5a62966103facf26c18ec77bae71d399c64 2160 ruby-omniauth_1.2.1-1+deb8u1.dsc
f9dbc9ebee63e87712e9c91515bbe088d14506fc3a271a89b4ddb2d94001ba65 28163 ruby-omniauth_1.2.1.orig.tar.gz
5e24b3274fec281d2aa96d0680a4fa8158aa1518903aa4c8538e44bef1743c94 3580 ruby-omniauth_1.2.1-1+deb8u1.debian.tar.xz
ca8388806482a379322d628e581913a7984d12824f54f1502bad87d95196fc50 17310 ruby-omniauth_1.2.1-1+deb8u1_all.deb
Files:
eb33d277f49d035b36831f19afeddd14 2160 ruby optional ruby-omniauth_1.2.1-1+deb8u1.dsc
70141fc1b83026c33df6d5711ea29dd3 28163 ruby optional ruby-omniauth_1.2.1.orig.tar.gz
5c57420534adb6b2392d87010a2d7253 3580 ruby optional ruby-omniauth_1.2.1-1+deb8u1.debian.tar.xz
8a7d2593ef1947574b5afe59939f9df0 17310 ruby optional ruby-omniauth_1.2.1-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlp9C4AACgkQbsLe9o/+
N3Qsgw//SCu+k11JWJSvrfbF7jLxybtqSI1DwnqEYalM3T8CNzfW8X2PTBE9BIYs
ypN94i4vhWSiMvh8RylxhhsCtj2iqxb5CS0sRKaqF3X/5M+RRDvc+9RjOQN6K28M
96vZQHLESTKJxdPz0KQ2yz3v3enzfc4wTcg1s7mctKDVw9FWcHTZZFZoUyEZTuQ6
0nA7AjDQU/vRsfIU4V7I+kTeTGviP82gt2A3XLMc+dsLn+iq9RGgVMLh0HEyZ5eb
9v8Xpzi2nu2cvNBT3oX3P/4mmUdQjmmlP2meoGdRPIcQODYE+YHNrE/Wkk+rd22G
OpLRhTs1JFhABq/lKmx0InWr+aC25rJSsRBEjcQ7FxCI79YKyabhS9+Om2WbOzod
rCKBjYl5tZ4ri9wE6x9eOxlg+1nNt0Xp3WND2nA1KDVvwoY2cCmtEOOR9aFaGnIJ
zj6VOythudiHmqKMIUyv5rujT+4dzmQyla/0XyMhxzQKTODu4PAvqVYth/7wS9lt
4KpEAVzYbn6jqb5JXNSbLhzYnEPFr+t8WNQYN5vtQMCZNfX0AQtPSilOX7vSheNb
avk13AkpZX29YDMimqXeeXxMWIlg0xpOjv5jMkceANzq1U1ip2MZlM+pZVffYCfm
M0vVzI9nzm96A7KRYMA2Zp7dHfBs5wBGPEoyGMHX5QPeB0ZOuiA=
=FpwO
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Mar 2018 07:25:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:33:46 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon