Bug#496808: marked as done (ruby1.8: DoS vulnerability in rexml parsing module)

Debian Bug Tracking System Wed, 10 Sep 2008 03:00:11 -0700

Your message dated Wed, 10 Sep 2008 09:32:12 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#496808: fixed in ruby1.8 1.8.7.72-1
has caused the Debian Bug report #496808,
regarding ruby1.8: DoS vulnerability in rexml parsing module
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
496808: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496808
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: ruby1.8
Version: 1.8.5-4etch2
Severity: grave
Tags: security
Justification: user security hole

The rexml lib is vulnerable to a DoS attack. 
Please see 
http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/.

I know there isn't an official patch yet (except the overloading of the REXML 
module via 
http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb but I 
expect that
to be out soon.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-domu
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages ruby1.8 depends on:
ii  libc6                  2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii  libruby1.8             1.8.5-4etch2      Libraries necessary to run Ruby 1.

ruby1.8 recommends no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: ruby1.8
Source-Version: 1.8.7.72-1

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:

irb1.8_1.8.7.72-1_all.deb
  to pool/main/r/ruby1.8/irb1.8_1.8.7.72-1_all.deb
libdbm-ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libdbm-ruby1.8_1.8.7.72-1_i386.deb
libgdbm-ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libgdbm-ruby1.8_1.8.7.72-1_i386.deb
libopenssl-ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libopenssl-ruby1.8_1.8.7.72-1_i386.deb
libreadline-ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libreadline-ruby1.8_1.8.7.72-1_i386.deb
libruby1.8-dbg_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libruby1.8-dbg_1.8.7.72-1_i386.deb
libruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libruby1.8_1.8.7.72-1_i386.deb
libtcltk-ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libtcltk-ruby1.8_1.8.7.72-1_i386.deb
rdoc1.8_1.8.7.72-1_all.deb
  to pool/main/r/ruby1.8/rdoc1.8_1.8.7.72-1_all.deb
ri1.8_1.8.7.72-1_all.deb
  to pool/main/r/ruby1.8/ri1.8_1.8.7.72-1_all.deb
ruby1.8-dev_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/ruby1.8-dev_1.8.7.72-1_i386.deb
ruby1.8-elisp_1.8.7.72-1_all.deb
  to pool/main/r/ruby1.8/ruby1.8-elisp_1.8.7.72-1_all.deb
ruby1.8-examples_1.8.7.72-1_all.deb
  to pool/main/r/ruby1.8/ruby1.8-examples_1.8.7.72-1_all.deb
ruby1.8_1.8.7.72-1.diff.gz
  to pool/main/r/ruby1.8/ruby1.8_1.8.7.72-1.diff.gz
ruby1.8_1.8.7.72-1.dsc
  to pool/main/r/ruby1.8/ruby1.8_1.8.7.72-1.dsc
ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/ruby1.8_1.8.7.72-1_i386.deb
ruby1.8_1.8.7.72.orig.tar.gz
  to pool/main/r/ruby1.8/ruby1.8_1.8.7.72.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lucas Nussbaum <[EMAIL PROTECTED]> (supplier of updated ruby1.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 10 Sep 2008 10:27:45 +0200
Source: ruby1.8
Binary: ruby1.8 libruby1.8 libruby1.8-dbg ruby1.8-dev libdbm-ruby1.8 
libgdbm-ruby1.8 libreadline-ruby1.8 libtcltk-ruby1.8 libopenssl-ruby1.8 
ruby1.8-examples ruby1.8-elisp ri1.8 rdoc1.8 irb1.8
Architecture: source all i386
Version: 1.8.7.72-1
Distribution: unstable
Urgency: high
Maintainer: akira yamada <[EMAIL PROTECTED]>
Changed-By: Lucas Nussbaum <[EMAIL PROTECTED]>
Description: 
 irb1.8     - Interactive Ruby (for Ruby 1.8)
 libdbm-ruby1.8 - DBM interface for Ruby 1.8
 libgdbm-ruby1.8 - GDBM interface for Ruby 1.8
 libopenssl-ruby1.8 - OpenSSL interface for Ruby 1.8
 libreadline-ruby1.8 - Readline interface for Ruby 1.8
 libruby1.8 - Libraries necessary to run Ruby 1.8
 libruby1.8-dbg - Debugging symbols for Ruby 1.8
 libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8
 rdoc1.8    - Generate documentation from Ruby source files (for Ruby 1.8)
 ri1.8      - Ruby Interactive reference (for Ruby 1.8)
 ruby1.8    - Interpreter of object-oriented scripting language Ruby 1.8
 ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8
 ruby1.8-elisp - ruby-mode for Emacsen
 ruby1.8-examples - Examples for Ruby 1.8
Closes: 494401 496808
Changes: 
 ruby1.8 (1.8.7.72-1) unstable; urgency=high
 .
   * New upstream release.
     - many patches in 1.8.7.22-4 were simply backported from upstream SVN, and
       are integrated into that release. We drop those:
       + 103_array_c_r17472_to_r17756.dpatch
       + 810_ruby187p22_fixes.dpatch
       + 811_multiple_vuln_200808.dpatch
     - Fixes the following security issues: (Closes: #494401)
       * Several vulnerabilities in safe level
       * DoS vulnerability in WEBrick
       * Lack of taintness check in dl
       * DNS spoofing vulnerability in resolv.rb (CVE-2008-1447)
   * Applied debian/patches/168_rexml_dos.dpatch:
     Fix CVE-2008-3790 (REXML expansion DOS). Closes: #496808.
Checksums-Sha1: 
 5fade39fa35c59429ae08130c25870017e9411f0 1617 ruby1.8_1.8.7.72-1.dsc
 fe1c5ffad9924076f36768890255f022c51f9a4e 4805594 ruby1.8_1.8.7.72.orig.tar.gz
 40f5331a41249eae121a2dc30d57129fee27c26a 48378 ruby1.8_1.8.7.72-1.diff.gz
 dc6b0601a7b02cd6b70be894227cbc1acd7d1ab5 308268 
ruby1.8-examples_1.8.7.72-1_all.deb
 a6be6112ad4de3649e0d96037776bfa923c8db51 277682 
ruby1.8-elisp_1.8.7.72-1_all.deb
 80367f118d4a7b387a25f2ab7ef818f09fbc2e63 1411468 ri1.8_1.8.7.72-1_all.deb
 75e69d0a962b788cbab3a5a7525c7416fd928782 377778 rdoc1.8_1.8.7.72-1_all.deb
 c953faf07d4ec95673e6e5df76ccdc1d9fd773fa 303462 irb1.8_1.8.7.72-1_all.deb
 6cee99f98696f9c163061d78181824feff86a981 282800 ruby1.8_1.8.7.72-1_i386.deb
 251f8fc745f785816ab5819b57007879aa35f05f 1673758 libruby1.8_1.8.7.72-1_i386.deb
 ba3543b59e06c3948e3e45e8226e8c9bca9bbab4 1450732 
libruby1.8-dbg_1.8.7.72-1_i386.deb
 ec2f9e8b5bbca0a047d1aebaae7db7b396c5598e 825788 ruby1.8-dev_1.8.7.72-1_i386.deb
 a9bec3c727d927e661dcf42686d7dff67a2544a2 264458 
libdbm-ruby1.8_1.8.7.72-1_i386.deb
 6cc39ea191776257b58c7792754ce0c24765fed8 263344 
libgdbm-ruby1.8_1.8.7.72-1_i386.deb
 7ec41c118cfd5b1b3ff5f9cc49f73da8f0a98eb1 263594 
libreadline-ruby1.8_1.8.7.72-1_i386.deb
 dccea8cb868c804ed1bc534721884e8ec33f20c7 2001932 
libtcltk-ruby1.8_1.8.7.72-1_i386.deb
 2a4e2417ff4f971c1773d99e3a17d42be690d418 378016 
libopenssl-ruby1.8_1.8.7.72-1_i386.deb
Checksums-Sha256: 
 54ec31abc5e586fbb070e467981ba534aeb93c99009e41ccb3e4722c57ba75c2 1617 
ruby1.8_1.8.7.72-1.dsc
 e15ca005076f5d6f91fc856fdfbd071698a4cadac3c6e25855899dba1f6fc5ef 4805594 
ruby1.8_1.8.7.72.orig.tar.gz
 adbe6a3ef05bd830ff77eb04667fa4c13bc04337a6936770290cb988e2bddec4 48378 
ruby1.8_1.8.7.72-1.diff.gz
 da8ff2843a2342383bd3d766f79c7db822299861764fa6fa8d06120ca8ab7475 308268 
ruby1.8-examples_1.8.7.72-1_all.deb
 6658e02877b87bf4da3edfc6742faa161f24216bd3a6deb31c4e201826a91130 277682 
ruby1.8-elisp_1.8.7.72-1_all.deb
 3f84291da587d0607a4c65501474990746716508b55da55689fda706e8882f23 1411468 
ri1.8_1.8.7.72-1_all.deb
 eafc787f8ab13113c54acea9de6d61471f023b948f8c962d57bc2f937c5eb05f 377778 
rdoc1.8_1.8.7.72-1_all.deb
 2406340b0823c8991bb9dc12521e98740e285c7420fea70f2f2c9c565c8e4f2a 303462 
irb1.8_1.8.7.72-1_all.deb
 1793e4fb0d9e6de2c7443ab417b589990ae8ec3e6bdcf1856ecc666a73787839 282800 
ruby1.8_1.8.7.72-1_i386.deb
 e8c15025891443a8b2df0160a71462c25eab8f13c0c8b680c3a4ecc71a23b787 1673758 
libruby1.8_1.8.7.72-1_i386.deb
 bcd4e4e5b7fb012805e2c22f1e98619704954c0b4731d3e6ba2bf3ec1109474d 1450732 
libruby1.8-dbg_1.8.7.72-1_i386.deb
 0f729e1c6bccc26e5a034ab8dcfda603a3396e66d9524e65b38508fb60ed5312 825788 
ruby1.8-dev_1.8.7.72-1_i386.deb
 93e0278ec89b15200df07386da272fc8a86b6f14549d746b70cb84ba958b74d7 264458 
libdbm-ruby1.8_1.8.7.72-1_i386.deb
 792a4a3de2c8bebde6b8ab5333137755fb53c16fc09580902eb983acc07cd819 263344 
libgdbm-ruby1.8_1.8.7.72-1_i386.deb
 14196a64f1d2b9bacabeafb7a3ad9ef4d0d8d8d0c1b4e1ba0565446344f615a5 263594 
libreadline-ruby1.8_1.8.7.72-1_i386.deb
 42280f99f7a2ef3369045879a369888adc8ae005077cbd4756453ec62e8eba05 2001932 
libtcltk-ruby1.8_1.8.7.72-1_i386.deb
 f6d17cd48c76bee97232d85016f003778b34ad742076a0f910824b0b15673bd4 378016 
libopenssl-ruby1.8_1.8.7.72-1_i386.deb
Files: 
 46a174440af588410b28bef7ff05dfe3 1617 interpreters optional 
ruby1.8_1.8.7.72-1.dsc
 5e5b7189674b3a7f69401284f6a7a36d 4805594 interpreters optional 
ruby1.8_1.8.7.72.orig.tar.gz
 57f6ef36973a901dc15523e8c167c11d 48378 interpreters optional 
ruby1.8_1.8.7.72-1.diff.gz
 fd3bc19f8ccab85a7e712e0b99d23665 308268 interpreters optional 
ruby1.8-examples_1.8.7.72-1_all.deb
 8252a55bea45582f4ac944b4adb5127b 277682 interpreters optional 
ruby1.8-elisp_1.8.7.72-1_all.deb
 58b1a8bbb7d9697df1b22a72b3cc97fa 1411468 interpreters optional 
ri1.8_1.8.7.72-1_all.deb
 ec6a623d465b5d25c32f963d65ba6dc2 377778 doc optional rdoc1.8_1.8.7.72-1_all.deb
 17f8705ceba3c54342f883fe764a9f40 303462 interpreters optional 
irb1.8_1.8.7.72-1_all.deb
 b3154fada68a48f535d58e0a694ec7e3 282800 interpreters optional 
ruby1.8_1.8.7.72-1_i386.deb
 643693622707cc369741183dd6500e85 1673758 libs optional 
libruby1.8_1.8.7.72-1_i386.deb
 24ec822a841996c3443c0b74ab115c46 1450732 libdevel extra 
libruby1.8-dbg_1.8.7.72-1_i386.deb
 306c79f4810b70197df86b6859907b7c 825788 devel optional 
ruby1.8-dev_1.8.7.72-1_i386.deb
 c23837051816e2a8756f1eae243efcad 264458 interpreters optional 
libdbm-ruby1.8_1.8.7.72-1_i386.deb
 d4e6b3016b9bb09546bfdcf7ba1ef5cb 263344 interpreters optional 
libgdbm-ruby1.8_1.8.7.72-1_i386.deb
 29e26584235749c30aba5448e08cdc1d 263594 interpreters optional 
libreadline-ruby1.8_1.8.7.72-1_i386.deb
 51998d79f775bb8f6ccb6000cca64e75 2001932 interpreters optional 
libtcltk-ruby1.8_1.8.7.72-1_i386.deb
 b875864048e054a365e4700908839608 378016 interpreters optional 
libopenssl-ruby1.8_1.8.7.72-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIx5Kj2hliNwI7P08RAkbfAJ0dn8c7pyaNU4uDCGhyCcIDbFZJTQCfVNue
RQrc3/fcw1eoS7x1iBmA66w=
=hzvs
-----END PGP SIGNATURE-----

--- End Message ---

Bug#496808: marked as done (ruby1.8: DoS vulnerability in rexml parsing module)

Reply via email to