Your message dated Thu, 30 Jul 2015 01:49:12 +0000
with message-id <[email protected]>
and subject line Bug#790119: fixed in ruby2.1 2.1.5-4
has caused the Debian Bug report #790119,
regarding ruby2.1: CVE-2015-3900: DNS hijacking vulnerability in api_endpoint()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
790119: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790119
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby2.1
Version: 2.1.5-1
Severity: important
Tags: security upstream patch fixed-upstream
the following vulnerability was published for ruby2.1.
CVE-2015-3900[0]:
| RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before
| 2.4.7 does not validate the hostname when fetching gems or making API
| request, which allows remote attackers to redirect requests to
| arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack
| attack."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3900
[1] http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby2.1
Source-Version: 2.1.5-4
We believe that the bug you reported is fixed in the latest version of
ruby2.1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <[email protected]> (supplier of updated ruby2.1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 29 Jul 2015 22:18:59 -0300
Source: ruby2.1
Binary: ruby2.1 libruby2.1 ruby2.1-dev ruby2.1-doc ruby2.1-tcltk
Architecture: source all
Version: 2.1.5-4
Distribution: unstable
Urgency: medium
Maintainer: Antonio Terceiro <[email protected]>
Changed-By: Antonio Terceiro <[email protected]>
Description:
libruby2.1 - Libraries necessary to run Ruby 2.1
ruby2.1 - Interpreter of object-oriented scripting language Ruby
ruby2.1-dev - Header files for compiling extension modules for the Ruby 2.1
ruby2.1-doc - Documentation for Ruby 2.1
ruby2.1-tcltk - Ruby/Tk for Ruby 2.1
Closes: 790119
Changes:
ruby2.1 (2.1.5-4) unstable; urgency=medium
.
* debian/control: point Vcs-Git: to master-2.1 branch
* Apply upstream patches to fix Request hijacking vulnerability in Rubygems
[CVE-2015-3900] (Closes: #790119)
Checksums-Sha1:
5ebba0c7cbb6c60ac90a0c3d791d562ad31da0b5 2420 ruby2.1_2.1.5-4.dsc
29eadb1f6f372e7293dc9438a0a5b58a2ccd78e3 88192 ruby2.1_2.1.5-4.debian.tar.xz
34ae16188db8b80a537aacbe7ee61b28910cbd7b 3329528 ruby2.1-doc_2.1.5-4_all.deb
Checksums-Sha256:
c83b4add1862e393ddf3509099212c64aa3550b47cd8a15ff45d92bb6f6ed0a1 2420
ruby2.1_2.1.5-4.dsc
90aac73cbe26a903aef2108bfba04caa5bead04489f0cdab39fd9985d9633803 88192
ruby2.1_2.1.5-4.debian.tar.xz
e7c7961986912b8ea69185cc7524f94ac8773999efdad431991c2f5e2901d730 3329528
ruby2.1-doc_2.1.5-4_all.deb
Files:
5d9ec0362b34c3f4792df11ce6fd331d 2420 ruby extra ruby2.1_2.1.5-4.dsc
673d537934c35b71806f1a8ca700858e 88192 ruby extra ruby2.1_2.1.5-4.debian.tar.xz
5f29077560b79c91ee5bfebda382aab8 3329528 doc extra ruby2.1-doc_2.1.5-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVuYAiAAoJEPwNsbvNRgves+EP/0OPgnXfzTpMl2coVUlQtRgS
/Tn7BJQGHxZL3iMKY1phIfATqJB5FyoE8CIu/SQ8U79rEJY5vSfteKCysj4WxqBv
hz4qRevkiMJEjkZVu1oLlR/KB80DF5Wme52uj7Y9IwK4cYTOvBVovXxZTf9KLEeH
VyKOGvkeKVeq7NDqbWc9cDrr+ou+LVHIX36/VMTL6hrhG+UaIekC5cI5HewaJwdH
Lh6CDNzooOsaH8sSNN/BtX5bq2+Kg+vlei7/13sFhZLSTT5XY3dAo6uTasRzr2E2
4bexX6BQmXKfraAI3eui9v85RpEVCv2NgVWtawGcTj6npX1NBihsUAvoy+KUImqD
W+AJAyY622Jw1qbP3PiiSYPB5tEKwnCyqHOZ2oBBrcemN7UAP4i3jkEkczxOz8B+
fMyYKVYsnOZuUdAJPCHTq5P7jWMyX46QDaau1qT98zLau5Imc7eIgrgKXRohFeBI
nQYUvEkPSkEnxNmgzsqqDLozoRzPrUn+s71H7qqi3nKw++9cYR9xV9Z2jRaT9Inh
q5FBxobisamJeGvaQuf0gFaGWhXyLDCCgSHaJ1Q6AXNapOd1Qg+lzEoH62pzndBr
ZbyocAQ7IjOzlbOBgfWMRusHBM0mdWsR+rarvyFlbXe7rM7d7gXGsOZr8bCAbnRP
miHqgLGtOdQN+3/xj5on
=BuNC
-----END PGP SIGNATURE-----
--- End Message ---
