Your message dated Thu, 30 Jul 2015 01:19:23 +0000
with message-id <[email protected]>
and subject line Bug#790111: fixed in ruby2.2 2.2.2-3
has caused the Debian Bug report #790111,
regarding ruby2.2: CVE-2015-3900: DNS hijacking vulnerability in api_endpoint()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
790111: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790111
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby2.2
Version: 2.2.2-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for ruby2.2.
CVE-2015-3900[0]:
| RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before
| 2.4.7 does not validate the hostname when fetching gems or making API
| request, which allows remote attackers to redirect requests to
| arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack
| attack."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3900
[1] http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby2.2
Source-Version: 2.2.2-3
We believe that the bug you reported is fixed in the latest version of
ruby2.2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <[email protected]> (supplier of updated ruby2.2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 29 Jul 2015 09:50:08 -0300
Source: ruby2.2
Binary: ruby2.2 libruby2.2 libruby2.2-dbg ruby2.2-dev ruby2.2-doc ruby2.2-tcltk
Architecture: source all
Version: 2.2.2-3
Distribution: unstable
Urgency: medium
Maintainer: Antonio Terceiro <[email protected]>
Changed-By: Antonio Terceiro <[email protected]>
Description:
libruby2.2 - Libraries necessary to run Ruby 2.2
libruby2.2-dbg - Debugging symbols for libruby2.2
ruby2.2 - Interpreter of object-oriented scripting language Ruby
ruby2.2-dev - Header files for compiling extension modules for the Ruby 2.2
ruby2.2-doc - Documentation for Ruby 2.2
ruby2.2-tcltk - Ruby/Tk for Ruby 2.2
Closes: 790111 791925
Changes:
ruby2.2 (2.2.2-3) unstable; urgency=medium
.
[ Christian Hofstaedtler ]
* Have libruby2.2 depend on ruby-test-unit, as upstream bundles this
externally maintained package in their tarballs. (Closes: #791925)
.
[ Antonio Terceiro ]
* Apply upstream patches to fix Request hijacking vulnerability in Rubygems
[CVE-2015-3900] (Closes: #790111)
Checksums-Sha1:
c7c10c20acc5c079968d3ddfeab61153b21bfdc7 2486 ruby2.2_2.2.2-3.dsc
d62bd8976062d97f8a7ec806215e77af36a42e3d 88888 ruby2.2_2.2.2-3.debian.tar.xz
b970fa2d3bbe5c0aa40a1dbaaa620349d64c623b 3329202 ruby2.2-doc_2.2.2-3_all.deb
Checksums-Sha256:
2156bd75184b572a55d7baa9e340b6194eafd4433e5633575c8e014cf8a2ff3c 2486
ruby2.2_2.2.2-3.dsc
fd3f62c2b55383e4ddc9ca464e9d59bad9d419d042c2d989d6f1a47b710a1661 88888
ruby2.2_2.2.2-3.debian.tar.xz
27e2140ed254b06e0159a34b6f3d7792e8c718448e9155be36375c9ac6fbdc5c 3329202
ruby2.2-doc_2.2.2-3_all.deb
Files:
2b88bb2baa72bc226a463b4ae4f595ec 2486 ruby extra ruby2.2_2.2.2-3.dsc
85e361261428bc2143ceb35fce6bb8e2 88888 ruby extra ruby2.2_2.2.2-3.debian.tar.xz
e7f95482b263e20074fb97ffbbe1413d 3329202 doc extra ruby2.2-doc_2.2.2-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVuXkUAAoJEPwNsbvNRgveozgQAK4bjjUWhGiHHulWSo7Bu8f8
9hkeEd/nzth86LcQMyLmpm+U8sFodFqXo4MzzZdeRtjtEILNl5GU/IsdLhtJcjJB
HNDrsXbt1GHKxoUY3BH+Gvmmk+wDp8LwonkYMQ9FCcv9gMDwbqArwZ0Iucp9+ShF
imSCmIJJkq9+xkZjeUx/3pbyrJnxm93MX9yaA9SbGMZZ6YtOgPw4qjztBHDMrri/
lmT8LsUJSTZ9w1nMiCIyA5spXmklEvch0tq/py44ch1DllyKvkAv32Sytg6kr4NI
8NLu6U1NVGAT08POTWnnL6GtZl7q9MCWMMDAyoLvSdKo/MUvVki0AxOrncjWUdZB
uU7dA/O6sWAPfES4MtkmtSKEvzm7L27SdX3Udtsl+RrjLn3f6ntAlCDq3thyKg46
n9PtS57HEpJY0pAgM6AxFP19ODbFhzhmoZ7nhMkASpzTbnID9Cqp864zqY+vFjMv
XG35Alg/APskacWjFLgEFBXT+/kNqzeYq/QJ4KYqOGa5IHizIvzN70g+LekhNz2F
bEFPHlVnNyPY5TAigQz7/HMoxcJH0ZCy43lcs2fuidEVW7Rlev9f6Dqka6a5trFB
HDznw7Diu7XtRL7wiOi1//ax9HDeVA3d3WH0spj3PpRci8ti+Hw5a+/+TbcLE+k+
f1Qc9n5a9cOJnhakEyTh
=ZBmN
-----END PGP SIGNATURE-----
--- End Message ---
