Your message dated Sun, 12 Nov 2017 15:34:53 +0000 with message-id <e1eduhd-000fun...@fasolo.debian.org> and subject line Bug#879231: fixed in ruby2.3 2.3.3-1+deb9u2 has caused the Debian Bug report #879231, regarding ruby2.3: CVE-2017-0903: Unsafe object deserialization through YAML formatted gem specifications to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879231: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879231 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby2.3 Version: 2.3.3-1 Severity: grave Tags: patch security upstream Hi, the following vulnerability was published for ruby2.3. CVE-2017-0903[0]: | RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a | possible remote code execution vulnerability. YAML deserialization of | gem specifications can bypass class white lists. Specially crafted | serialized objects can possibly be used to escalate to remote code | execution. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-0903 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903 [1] http://www.openwall.com/lists/oss-security/2017/10/10/2 [2] https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby2.3 Source-Version: 2.3.3-1+deb9u2 We believe that the bug you reported is fixed in the latest version of ruby2.3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 879...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro <terce...@debian.org> (supplier of updated ruby2.3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 22 Oct 2017 12:45:48 -0200 Source: ruby2.3 Binary: ruby2.3 libruby2.3 ruby2.3-dev ruby2.3-doc ruby2.3-tcltk Architecture: source amd64 all Version: 2.3.3-1+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Antonio Terceiro <terce...@debian.org> Changed-By: Antonio Terceiro <terce...@debian.org> Description: libruby2.3 - Libraries necessary to run Ruby 2.3 ruby2.3 - Interpreter of object-oriented scripting language Ruby ruby2.3-dev - Header files for compiling extension modules for the Ruby 2.3 ruby2.3-doc - Documentation for Ruby 2.3 ruby2.3-tcltk - Ruby/Tk for Ruby 2.3 Closes: 875928 875931 875936 876377 879231 Changes: ruby2.3 (2.3.3-1+deb9u2) stretch-security; urgency=high . * asn1: fix out-of-bounds read in decoding constructed objects [CVE-2017-14033] (Closes: #875928) Original patch by Kazuki Yamaguchi; backported from the standalone openssl package * lib/webrick/log.rb: sanitize any type of logs [CVE-2017-10784] (Closes: #875931) Original patch by Yusuke Endoh; backported to Ruby 2.3 by Usaku NAKAMURA * fix Buffer underrun vulnerability in Kernel.sprintf [CVE-2017-0898] (Closes: #875936) Backported to Ruby 2.3 by Usaku NAKAMURA * Whitelist classes and symbols that are in Gem spec YAML [CVE-2017-0903] (Closes: #879231) Original patch by Aaron Patterson; backported from the standalone Rubygems package * thread_pthread.c: do not wakeup inside child processes Avoid child Ruby processed being stuck in a busy loop (Closes: #876377) Original patch by Eric Wong Checksums-Sha1: fc2239753ec5a97c0033669260c38404b033bc89 2503 ruby2.3_2.3.3-1+deb9u2.dsc 9392e4fac0a593c277f6b9402b0c951272ccabea 101656 ruby2.3_2.3.3-1+deb9u2.debian.tar.xz 54e0e758b6cf8fd9d378e3b23fd244d1b2a633ba 4605396 libruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb 9c6b7dcc9a8dd007945e86262f8a94031a7381e8 3107924 libruby2.3_2.3.3-1+deb9u2_amd64.deb a1ea5960d3abc6b4d0536d19cb1d566b129ff3f3 5220 ruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb b597042769944f9badb8c5f3c61630ae466ebe30 1178978 ruby2.3-dev_2.3.3-1+deb9u2_amd64.deb 6f1ac5dc45a13a762b136273e2bedb925bfa637a 3512074 ruby2.3-doc_2.3.3-1+deb9u2_all.deb ad377c0a3d547f94e5aaab6d650a7ff493fe6d3a 193486 ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u2_amd64.deb 826a6c7e18a9b1d67d810c21b7b2e22ab5b36e75 421734 ruby2.3-tcltk_2.3.3-1+deb9u2_amd64.deb 752d848843e0f462fe4885c08d94224ad030a4bd 10438 ruby2.3_2.3.3-1+deb9u2_amd64.buildinfo 0d7262d3f312379a98b0e3a61dab9567f4bbbcf9 187302 ruby2.3_2.3.3-1+deb9u2_amd64.deb Checksums-Sha256: d778479ae0bc2fe196d8ea7737581346311032e56bcac8e5e59d4ce145a1b041 2503 ruby2.3_2.3.3-1+deb9u2.dsc 1ecfd9d44396afcddaa349f87af1fd82ce2ccfe610f7ff1eb71fca8d69365595 101656 ruby2.3_2.3.3-1+deb9u2.debian.tar.xz 3284f4a8cfb768da7be774f11046fd137623d5f595e314c1a4f778ba77609e67 4605396 libruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb 96f76e6cc5ebbbe8f641b87225f2ddd3181ed8f911d398869410fd1433f2c3e5 3107924 libruby2.3_2.3.3-1+deb9u2_amd64.deb 2b6f776129d69acf337c7d36fad5eb0365e38e0860f0a2e52600835927ae2dc1 5220 ruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb 4cf5b34f55080513f2bc6d2b858bb931670c1ca47854ce4bb18cc1efbd1710aa 1178978 ruby2.3-dev_2.3.3-1+deb9u2_amd64.deb 7250d38b09c3f1b7c503d7fb216c17f0d16ad84ccce3ad92f8879be1bc5ebd2d 3512074 ruby2.3-doc_2.3.3-1+deb9u2_all.deb b609eac308ea13b266527f7481400d509de24e31a10b21e0875b8843bf8d388a 193486 ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u2_amd64.deb 1c835445a1f2a483b7c1c991258c41a8d28ab9d888e7ffa7835c60400bf74fc0 421734 ruby2.3-tcltk_2.3.3-1+deb9u2_amd64.deb 069ac11dc8330b315ed4d5f2c0c551e77c2816f44fa2ca3d1fea2c4b6becf3ed 10438 ruby2.3_2.3.3-1+deb9u2_amd64.buildinfo 57c58081129c16005baeb591b23839541cbe3445ff873211b18bff63637993d5 187302 ruby2.3_2.3.3-1+deb9u2_amd64.deb Files: 51e216e75018504d050a6b1e7294652d 2503 ruby optional ruby2.3_2.3.3-1+deb9u2.dsc 36c9812418be88cd206d34031d498cbb 101656 ruby optional ruby2.3_2.3.3-1+deb9u2.debian.tar.xz 75e8a3a9893bd2f42f0756e19ce02d2a 4605396 debug extra libruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb 423fe6f9c315c34f55e0c8a14479366f 3107924 libs optional libruby2.3_2.3.3-1+deb9u2_amd64.deb 116c2ffa0f00a2456addf3b6904470d0 5220 debug extra ruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb 2316a3c3bca8e8a41e7fc8d4cf3c5ae7 1178978 ruby optional ruby2.3-dev_2.3.3-1+deb9u2_amd64.deb adba35efe792b47ba689959d01bebe99 3512074 doc optional ruby2.3-doc_2.3.3-1+deb9u2_all.deb afb7f367e072f990f1323ff249df2c77 193486 debug extra ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u2_amd64.deb cf32242176e6171cb33a2177527cc3ec 421734 ruby optional ruby2.3-tcltk_2.3.3-1+deb9u2_amd64.deb efffe6b39a0ab676da405989f2d6ea96 10438 ruby optional ruby2.3_2.3.3-1+deb9u2_amd64.buildinfo cc5a12044ffd2fe035005c22e312629b 187302 ruby optional ruby2.3_2.3.3-1+deb9u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAloB6gQACgkQ/A2xu81G C94K3BAAtr/wjjKciR9DeendO3iFQRNxhegngn1oIU8HnrchWdDl2IQGPfF8HJLy KBkI8iPW6I57pxtk0uMOLkYE1vlCqZSFOFZ2yCVDWaHRqOS+r2O5mRxfSCjoWkiH NPh/B85uy/iNMsg5F9m3RMYh8/m6DHmmxPv5RqTf+1dHu5YXtaziCFSUk37COE1j tsgLvgnM8GaTM4p2mKdD52hMieeeB6cI6MBCHt98Jm9wSx644/9pO3gPr0bniplz u4NNkC2Fo2IZGoAaiqeM3qooXQemEkb70eQwwRZVN8IXHgo3mRbNRXoY1SkvylCo B1ZrMFdRusiBaOXBHJiZNqcgO0dlN0mK/SZ5H8OOhwxN9YySDbLXAp3oSsQDaeZF p/tYHNNEZW9VvoRm6xPPxTbDNkb5/66nnO+QK+IUru+zdWXoVpbSGhFKiFzJiLm2 v7pUwWUFfhrq7/ZG68QV1PXP4/2zTzZlQJd6jao1jAV/M1Qy3S/lfKbRZ7w890j9 usezaAfZMqVOToDJYRW76Z8/H2GLjgw95crRkxXGovLY8AeX76qjY5YYZim8hxrh bq4flRhFzkeMbS6y1Yn6p0/V8jE0XtEdgW4Znch8eBblz868View8zjtCo9mO3Wp MtgQVlBerOAtnijO8iiXfEl1CfiJFbmoqmd0kBXwvHM68/cvNfk= =rnTR -----END PGP SIGNATURE-----
--- End Message ---
