ruby2.5: CVE-2017-17405: Command injection vulnerability in Net::FTP

Debian Bug report logs - #884437
ruby2.5: CVE-2017-17405: Command injection vulnerability in Net::FTP

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ruby2.5: CVE-2017-17405: Command injection vulnerability in Net::FTP

Date: Fri, 15 Dec 2017 09:20:49 +0100

Source: ruby2.5
Version: 2.5.0~preview1-1
Severity: grave
Tags: patch security upstream fixed-upstream
Control: clone -1 -2
Control: reassign -2 ruby2.3 2.3.5-1
Control: found -2 2.3.3-1
Control: retitle -2 ruby2.3: CVE-2017-17405: Command injection vulnerability in Net::FTP

Hi,

the following vulnerability was published for ruby.

CVE-2017-17405[0]:
Command injection vulnerability in Net::FTP

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17405
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405
[1] https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
[2] https://github.com/ruby/ruby/commit/6d3f72e5be2312be312f2acbf3465b05293c1431

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 884437-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: 884437-close@bugs.debian.org

Subject: Bug#884437: fixed in ruby2.5 2.5.0~rc1-1

Date: Sun, 24 Dec 2017 15:14:02 +0000

Source: ruby2.5
Source-Version: 2.5.0~rc1-1

We believe that the bug you reported is fixed in the latest version of
ruby2.5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 884437@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby2.5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 24 Dec 2017 12:29:25 -0200
Source: ruby2.5
Binary: ruby2.5 libruby2.5 ruby2.5-dev ruby2.5-doc
Architecture: source
Version: 2.5.0~rc1-1
Distribution: unstable
Urgency: medium
Maintainer: Antonio Terceiro <terceiro@debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
 libruby2.5 - Libraries necessary to run Ruby 2.5
 ruby2.5    - Interpreter of object-oriented scripting language Ruby
 ruby2.5-dev - Header files for compiling extension modules for the Ruby 2.5
 ruby2.5-doc - Documentation for Ruby 2.5
Closes: 832022 881772 884437
Changes:
 ruby2.5 (2.5.0~rc1-1) unstable; urgency=medium
 .
   * New upstream release candidate. Includes the following fixes:
     - Fix stack size on powerpc64 (Closes: #881772)
     - CVE-2017-17405: Command injection vulnerability in Net::FTP
       (Closes: #884437)
   * Refresh patches
   * debian/control:
     - Remove explicit Testsuite: header
     - ruby2.5-dev: Recommends: ruby2.5-doc
     - Declare compatibility with Debian Policy 4.1.2; no changes needed
     - Bump debhelper compatibility level to 10
       - change debian/rules to call ./configure directly, to use upstream's
         built-in multiarch support as before debhelper compatibility level 9
   * debian/watch: download release tarballs.
     Using release tarballs makes it possible to build ruby without having an
     existing ruby. This should help bootstrapping ruby on new
     architectures. (Closes: #832022)
   * debian/copyright: exclude embedded copies of bundled gems and libffi
   * debian/rules:
     - run tests in verbose mode during build
     - drop explicit usage of autotools-dev
     - drop usage of autoreconf debhelper sequence, it's not needed anymore
       since we are now using a complete upstream release tarball
     - drop passing --baseruby to configure, since do not require an existing
       ruby anymore
     - skip setting DEB_HOST_MULTIARCH if already set
     - replace manual call to dpkg-parsechangelog with including
       /usr/share/dpkg/pkg-info.mk and using variables from there.
   * autopkgtest: make use of the text exclusion rules under test/excludes/
   * debian/libruby2.5.symbols: update with symbols added/removed since the
     preview1 release
   * debian/tests/bundled-gems: handle extra field in gems/bundled_gems
   * debian/libruby2.5.lintian-overrides: remove unused override
     (possible-gpl-code-linked-with-openssl)
Checksums-Sha1:
 f2f26aae91e34f2c5ce13001b22d2cbb578ffe2e 2352 ruby2.5_2.5.0~rc1-1.dsc
 1f739b1f01268ef139656e307f8163bd90c1606b 30925411 ruby2.5_2.5.0~rc1.orig.tar.gz
 ae7d013fed2114af7d096576ad0ad19eb2c515ba 99144 ruby2.5_2.5.0~rc1-1.debian.tar.xz
 4ed51818c43411e93b31f4e03b2a0aa89e46ec99 6377 ruby2.5_2.5.0~rc1-1_source.buildinfo
Checksums-Sha256:
 245629eb09f3cc38c8ceca0b4ee29febd96a7097ea7f4ddfe9f83b243e5f2ff8 2352 ruby2.5_2.5.0~rc1-1.dsc
 3eb57888cadb469a2faf0a8031ad2180ca981167d8a646aaebfbd6f786feecc8 30925411 ruby2.5_2.5.0~rc1.orig.tar.gz
 0295b9da564c398f3efb4e963937ee298c224d2fbe7936eb48f33e129aa7f28e 99144 ruby2.5_2.5.0~rc1-1.debian.tar.xz
 511ed1c027cff8c1b3fa9a8f9084a18c36873fde340204c78ccefa84519195a6 6377 ruby2.5_2.5.0~rc1-1_source.buildinfo
Files:
 174bdd4580ba9f91b7318fd9efc61394 2352 ruby optional ruby2.5_2.5.0~rc1-1.dsc
 466cdb22f4ea5dbcf1bc4f6f77117ae8 30925411 ruby optional ruby2.5_2.5.0~rc1.orig.tar.gz
 3e754662560017ca670ea903d9ff4eb4 99144 ruby optional ruby2.5_2.5.0~rc1-1.debian.tar.xz
 ac44fb0acf5ec3c33eb3e2c366825db8 6377 ruby optional ruby2.5_2.5.0~rc1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAlo/vsEACgkQ/A2xu81G
C94PgQ/+IkXXtooLeVrligiKQk9/lnQUeMuuC/Y1UF5N+wYoiyVLmaR/Trvp9hpr
H3fDcjEaXHfPKVdU/7JRM/LpcBpePuIQ6I2FM1D6aj/RZzks8Qugb8mlx273nwu3
Gm7VbppJePZajidE4raWL6j+v29E1Tki5THK7cL66SnAv3TSnOVlmoqS2/oeVL/M
XMm1yI4EQd209ch/nKTw5jKON/h460lX6lSJibaHPRIX4wTsgz+Pl6xq7EjEtC/d
ceBdJd5Ic7+yng+WYvEVc50HsgWXVCSS6wJwv84+9aU3r4XmJLV+CuKUbpP6HnxJ
oQG78dTDDdZYicveNFD2SsDz5sJcIwKI3tWvx/jFa1/8P43pxcCFroFB8FLdoIEr
4ZZ/3FMdJTsx+ltEJL2XBEz+8xaGYzUsS0hDTcQCWPQcSsk00ymuEp3KW8oQ+PBg
LtNfqeZMlRojkC2v/42JKyRoHDeLQrZNuKmJJrNDKQ8nErElzY4bG0DRm6PV7Z7q
+2hEpHONC9HxgV9hQaU/Z3o7XbMG8QUePsNv2ALdAReW796UUUA5klywC9kNRyEQ
gbAfwp2JlQ8ndXFInM8VEZdzffLwLkF4Qu+TI+BDDqgZxJOlOlIytdVrEDzMXkSL
zHFHJCl4H62neh48qS8TjkbXT2vUE31Ad1ddYnxAqwiAH983f4E=
=oLpz
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.