Your message dated Fri, 07 Feb 2020 21:34:37 +0000
with message-id <[email protected]>
and subject line Bug#842504: fixed in bundler 2.1.4-1
has caused the Debian Bug report #842504,
regarding CVE-2016-7954: code execution via gem name collission in bundler
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
842504: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842504
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bundler
Version: 1.7.4-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for bundler.
CVE-2016-7954[0]:
code execution via gem name collission in bundler
Please correct me if I'm wrong. As far I understand, this issue cannot
be fixed within the 1.x series due to lockfile format. This bug is to
continue tracking the CVE in the Debian BTS.
We have marked the issue as no-dsa already for jessie.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-7954
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: bundler
Source-Version: 2.1.4-1
We believe that the bug you reported is fixed in the latest version of
bundler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated bundler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 07 Feb 2020 15:42:50 -0500
Source: bundler
Architecture: source
Version: 2.1.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 842504 945481
Changes:
bundler (2.1.4-1) unstable; urgency=medium
.
[ Utkarsh Gupta ]
* New upstream version 2.1.4
- Fixes: CVE-2016-7954 (Closes: #842504)
* Fix package wrt cme
- Bump Standards-Version to 4.5.0
- Bump debhelper-comat to 12
* Bump minimum version of ruby-molinillo in ruby-bundler (Closes: #945481)
* Change MIT -> Expat in d/copyright
* Stop building manpages as they're shipped by upstream now
* Update manpages shipped by upstream
* Add myself as an uploader
* Use AUTOPKGTEST_TMP in tests as ADTTMP is deprecated
* Fix patches wrt new upstream release
* Rename *-package -> *-cache in manpage name
* Add salsa-ci.yml
.
[ David Rodriguez ]
* Amend patch to not call the incorrect method
Checksums-Sha1:
22fa97fbaa5096a19f1ed546f2b4fb934b81bfe3 2232 bundler_2.1.4-1.dsc
870cb9136de2be70d3cb731b67c792a9ec06adc1 422115 bundler_2.1.4.orig.tar.gz
d03965cd55234ae3bbe5e81761099d3aa6d6a587 9592 bundler_2.1.4-1.debian.tar.xz
2424711ee5861a9f4f2ab6812b70137adb3cd116 9740 bundler_2.1.4-1_amd64.buildinfo
Checksums-Sha256:
288098e3af71c9b989b4fb425d3611d861afef52a8a5fe4b5da034eabeebdafc 2232
bundler_2.1.4-1.dsc
0fbbf6ecc547abe74291ef0c438cb80f047f61eb55f7a9c96b33ea3f9a8ad209 422115
bundler_2.1.4.orig.tar.gz
7d070ce274fe683602408918eb0d96d0ae2e7ffe23af77d09600619490d76e25 9592
bundler_2.1.4-1.debian.tar.xz
119ae8d5261e6b042831cf4e4a7802b125c3b4244352b2668b7b58e60c893529 9740
bundler_2.1.4-1_amd64.buildinfo
Files:
51969896167f8355606c0ff3d6f962fb 2232 ruby optional bundler_2.1.4-1.dsc
688af92fab0ebab984ded9393d2f6095 422115 ruby optional bundler_2.1.4.orig.tar.gz
2945fd24caa4901767b6e0a87a3f386a 9592 ruby optional
bundler_2.1.4-1.debian.tar.xz
d3859ac5b3d31f1a60f51aaf8c866ad2 9740 ruby optional
bundler_2.1.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl490PYTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlitJD/4xN/LntjoGmzf2e0zX1lRxSlUU7m2V
dh4DEmegqc5FaX1rzptzocsBnYruRn7Sz6NazMbZoVg5iCGLQntZmOzBudrKtNc5
2GFQNvUht1WalTHW6PfzRW/9G4ZxH9cPHOEP/WkFhpuDWXyhxuZytm8jIIqE/Naj
NkrJuq8WcrKH4q+AIU55FqSiiRVV032PTmdCqUmM3XiW/zduxBpk68W5EWLxjxzA
+A7RTwXdTGb06g9b7TO3EwE9PniFugbGlqtwhTKJ3JnPmivFWROI9fF3Eej1m1FE
qZgRJpZMv3yPSE5tJMDp2VXuM/VmXCVNQKEOsP3L8eP8a5vhyjdhtOHjQZVpNALO
HoUxUSH1VtzRs59zz6M1Awdn9zkh8zumqN6CDVwDrB9xK58KNOXT9gMjpMZFxLZn
TrdG2ui93pYiu4Cre0k3gHXcjyClfzCgYFZUk5bVkdsaK53oMCAqGCCULMORBMjG
Y0Madbq49cmZ6UgNL5TRXrWaZkVUxXseY6KoDShZkCmGvUE9p2bwaFA6siO3C+Ng
RWo92GAL28/3VKLCW7SV2OyiwJtFqHkF6Upy2ocMQlT9KkooVm1fffdkQlcpu/YO
hG1ywH0fxD+MFNSIzmv078hEIw9bzSW4dNKbPgQSPzPbn8z222js0i9E+UzoLauV
HxrSfO4BE66tFQ==
=v5j6
-----END PGP SIGNATURE-----
--- End Message ---
