Your message dated Thu, 17 Dec 2009 00:39:08 +0000
with message-id <[email protected]>
and subject line Bug#513528: fixed in ruby1.9 1.9.0.2-9lenny1
has caused the Debian Bug report #513528,
regarding ruby1.9: Not properly checking the return value of OCSP_basic_verify
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
513528: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ruby1.9
Severity: serious
Tags: security
Hi,
I was looking at return codes for applications making use of
openssl functions and found this in ext/openssl/ossl_ocsp.c:
result = OCSP_basic_verify(bs, x509s, x509st, flg);
sk_X509_pop_free(x509s, X509_free);
if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
return result ? Qtrue : Qfalse;
OCSP_basic_verify() can return both 0 and -1 in error cases,
so this function can incorrectly return information to the
caller.
I have no idea if what this code is used for and what the consequences
of this might be.
Kurt
--- End Message ---
--- Begin Message ---
Source: ruby1.9
Source-Version: 1.9.0.2-9lenny1
We believe that the bug you reported is fixed in the latest version of
ruby1.9, which is due to be installed in the Debian FTP archive:
irb1.9_1.9.0.2-9lenny1_all.deb
to main/r/ruby1.9/irb1.9_1.9.0.2-9lenny1_all.deb
libdbm-ruby1.9_1.9.0.2-9lenny1_i386.deb
to main/r/ruby1.9/libdbm-ruby1.9_1.9.0.2-9lenny1_i386.deb
libgdbm-ruby1.9_1.9.0.2-9lenny1_i386.deb
to main/r/ruby1.9/libgdbm-ruby1.9_1.9.0.2-9lenny1_i386.deb
libopenssl-ruby1.9_1.9.0.2-9lenny1_i386.deb
to main/r/ruby1.9/libopenssl-ruby1.9_1.9.0.2-9lenny1_i386.deb
libreadline-ruby1.9_1.9.0.2-9lenny1_i386.deb
to main/r/ruby1.9/libreadline-ruby1.9_1.9.0.2-9lenny1_i386.deb
libruby1.9-dbg_1.9.0.2-9lenny1_i386.deb
to main/r/ruby1.9/libruby1.9-dbg_1.9.0.2-9lenny1_i386.deb
libruby1.9_1.9.0.2-9lenny1_i386.deb
to main/r/ruby1.9/libruby1.9_1.9.0.2-9lenny1_i386.deb
libtcltk-ruby1.9_1.9.0.2-9lenny1_i386.deb
to main/r/ruby1.9/libtcltk-ruby1.9_1.9.0.2-9lenny1_i386.deb
rdoc1.9_1.9.0.2-9lenny1_all.deb
to main/r/ruby1.9/rdoc1.9_1.9.0.2-9lenny1_all.deb
ri1.9_1.9.0.2-9lenny1_all.deb
to main/r/ruby1.9/ri1.9_1.9.0.2-9lenny1_all.deb
ruby1.9-dev_1.9.0.2-9lenny1_i386.deb
to main/r/ruby1.9/ruby1.9-dev_1.9.0.2-9lenny1_i386.deb
ruby1.9-elisp_1.9.0.2-9lenny1_all.deb
to main/r/ruby1.9/ruby1.9-elisp_1.9.0.2-9lenny1_all.deb
ruby1.9-examples_1.9.0.2-9lenny1_all.deb
to main/r/ruby1.9/ruby1.9-examples_1.9.0.2-9lenny1_all.deb
ruby1.9_1.9.0.2-9lenny1.diff.gz
to main/r/ruby1.9/ruby1.9_1.9.0.2-9lenny1.diff.gz
ruby1.9_1.9.0.2-9lenny1.dsc
to main/r/ruby1.9/ruby1.9_1.9.0.2-9lenny1.dsc
ruby1.9_1.9.0.2-9lenny1_i386.deb
to main/r/ruby1.9/ruby1.9_1.9.0.2-9lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
akira yamada <[email protected]> (supplier of updated ruby1.9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 10 Jul 2009 16:21:55 +0900
Source: ruby1.9
Binary: ruby1.9 libruby1.9 libruby1.9-dbg ruby1.9-dev libdbm-ruby1.9
libgdbm-ruby1.9 libreadline-ruby1.9 libtcltk-ruby1.9 libopenssl-ruby1.9
ruby1.9-examples ruby1.9-elisp ri1.9 rdoc1.9 irb1.9
Architecture: source all i386
Version: 1.9.0.2-9lenny1
Distribution: stable-security
Urgency: high
Maintainer: akira yamada <[email protected]>
Changed-By: akira yamada <[email protected]>
Description:
irb1.9 - Interactive Ruby (for Ruby 1.9)
libdbm-ruby1.9 - DBM interface for Ruby 1.9
libgdbm-ruby1.9 - GDBM interface for Ruby 1.9
libopenssl-ruby1.9 - OpenSSL interface for Ruby 1.9
libreadline-ruby1.9 - Readline interface for Ruby 1.9
libruby1.9 - Libraries necessary to run Ruby 1.9
libruby1.9-dbg - Debugging symbols for Ruby 1.9
libtcltk-ruby1.9 - Tcl/Tk interface for Ruby 1.9
rdoc1.9 - Generate documentation from Ruby source files (for Ruby 1.9)
ri1.9 - Ruby Interactive reference (for Ruby 1.9)
ruby1.9 - Interpreter of object-oriented scripting language Ruby 1.9
ruby1.9-dev - Header files for compiling extension modules for the Ruby 1.9
ruby1.9-elisp - ruby-mode for Emacsen
ruby1.9-examples - Examples for Ruby 1.9
Closes: 513528
Changes:
ruby1.9 (1.9.0.2-9lenny1) stable-security; urgency=high
.
* added patch: 932_CVE-2009-1904 (ref: #532689)
It fixes BigDecimal DoS vulnerability (CVE-2009-1904). (backported from
1.8.7-p172 and 1.8.7-p174)
* Add upstream patch to properly check return values of the
OCSP_basic_verify function (CVE-2009-0642; Closes: #513528)
Checksums-Sha1:
27a98fcc1e28a0e21b76329c8d1af0806b0e52e5 1667 ruby1.9_1.9.0.2-9lenny1.dsc
7582f8e68cdd3e8fdf8ade842a5ed0be0fc01ed7 6407910 ruby1.9_1.9.0.2.orig.tar.gz
3de190f66b32ba2c2e1dd35c42726a64254d59ea 53625 ruby1.9_1.9.0.2-9lenny1.diff.gz
9a44a891740e01f0b833eef9ef73d0bc6168c0dd 481818
ruby1.9-examples_1.9.0.2-9lenny1_all.deb
4fc654f77c472d4a91885b5a3e27e46db2e9c76c 449352
ruby1.9-elisp_1.9.0.2-9lenny1_all.deb
2aed878754fdd7a5e01f75092648185a93750a27 1431978 ri1.9_1.9.0.2-9lenny1_all.deb
93a983318e7312a5c125412de6f18b04de78dd73 536898 rdoc1.9_1.9.0.2-9lenny1_all.deb
e8d7fc7bd7be338e7d5c32ac886f85aecc555908 474392 irb1.9_1.9.0.2-9lenny1_all.deb
50268c69ab118753b60859205896cceeee1eb272 452186
ruby1.9_1.9.0.2-9lenny1_i386.deb
be869215f3432ff8599e4c0badec97653356b479 2553242
libruby1.9_1.9.0.2-9lenny1_i386.deb
6f74b92dc461fbad1b89e9ba748aef69e77dd1e1 2329338
libruby1.9-dbg_1.9.0.2-9lenny1_i386.deb
25e3ac9c8ff43b26510325758e5312c93fc34c21 1310038
ruby1.9-dev_1.9.0.2-9lenny1_i386.deb
7e1ad26e67915ced02f0a942b80a32afb3933123 435492
libdbm-ruby1.9_1.9.0.2-9lenny1_i386.deb
2fb48c7ef0d6f1e5e057117fb10bf6b75674f9c1 434844
libgdbm-ruby1.9_1.9.0.2-9lenny1_i386.deb
17b0c90c5a7dd91455de18db7fd6c81369bb26db 435116
libreadline-ruby1.9_1.9.0.2-9lenny1_i386.deb
917b94251d77a10635680e04f78b63b138015cee 2174782
libtcltk-ruby1.9_1.9.0.2-9lenny1_i386.deb
ddcbf6cf630998998873a2ebfa4a45a467c35fc1 545646
libopenssl-ruby1.9_1.9.0.2-9lenny1_i386.deb
Checksums-Sha256:
5db674ae9eb684d35b8d124023deaf77bc5af22d61454cc625b7041a573c7d95 1667
ruby1.9_1.9.0.2-9lenny1.dsc
f6ec21d1e23e36a7a1c17ae838e1c278cd3896715bc65ceee021261c317451e4 6407910
ruby1.9_1.9.0.2.orig.tar.gz
d06385c019cf3b481d403da99bb80cf8bb5d15d338312c9b69243663dbb6399b 53625
ruby1.9_1.9.0.2-9lenny1.diff.gz
46981c1cf6c1891f9a0de051b6a7b29e1fed8dad458fc0e353cdc5d54ef880d4 481818
ruby1.9-examples_1.9.0.2-9lenny1_all.deb
2583e3cdb1fb7e803b31763e2eda8c44eef874cd3dc79addbef9dd5b3573a2a4 449352
ruby1.9-elisp_1.9.0.2-9lenny1_all.deb
82e2b578be51a22436b3cb96a284f660f9e947eadede337addec7ee86d24baa6 1431978
ri1.9_1.9.0.2-9lenny1_all.deb
6a09c17e360981423ce1a0398965d05ddc5eeb083f8279e40df2183b2d8d4f9f 536898
rdoc1.9_1.9.0.2-9lenny1_all.deb
d2d5cf07168a5539814f65bf0b0d280c6e38b278d5ffd463846e85f7368506ef 474392
irb1.9_1.9.0.2-9lenny1_all.deb
c3e6627c07fef10eb7a75ed984a6f1eda82717bad302039283aa6fe8780b90fd 452186
ruby1.9_1.9.0.2-9lenny1_i386.deb
6343fb44302f5ef5c990fb639a0b78105a69670ca62f7068d7ad501c0989399a 2553242
libruby1.9_1.9.0.2-9lenny1_i386.deb
8cc78960278c7b8ce6c9ed22f321ea70d90d947eb0bdb5a38f3cf4c47c49a622 2329338
libruby1.9-dbg_1.9.0.2-9lenny1_i386.deb
d3dbe79703ce9679ac47920df88806bba291cb5b0b7ea96421692fa804a756dc 1310038
ruby1.9-dev_1.9.0.2-9lenny1_i386.deb
9187c615ace87dc0cb88c504be6a0c2ee2f2b716b617b176d2720e6d91879f0d 435492
libdbm-ruby1.9_1.9.0.2-9lenny1_i386.deb
c69a5de9136022d0b71be1338c46c2eb580605bcb94c7097fdff92a4a2fe2a55 434844
libgdbm-ruby1.9_1.9.0.2-9lenny1_i386.deb
6894569c514be593993d3effc4f3b2d23ed0d0b5b23fc12d9c65658bc44e8bf0 435116
libreadline-ruby1.9_1.9.0.2-9lenny1_i386.deb
15589fe15d912972b9a8eb441cd942f3688db743f9a1711795a7896f2d23be38 2174782
libtcltk-ruby1.9_1.9.0.2-9lenny1_i386.deb
c35dfe7aadc16169c70533f5521c2b436c47cb05421c2401e33f8080e47dd968 545646
libopenssl-ruby1.9_1.9.0.2-9lenny1_i386.deb
Files:
b9f34023c78ac97a7bfeb71919a21faa 1667 interpreters optional
ruby1.9_1.9.0.2-9lenny1.dsc
2a848b81ed1d6393b88eec8aa6173b75 6407910 interpreters optional
ruby1.9_1.9.0.2.orig.tar.gz
d9974ae779b6c65077141cf8522912ee 53625 interpreters optional
ruby1.9_1.9.0.2-9lenny1.diff.gz
4eda15071b908b855b51ab101da6927d 481818 interpreters optional
ruby1.9-examples_1.9.0.2-9lenny1_all.deb
db6093b7d6350cb1a7d1483825b4187b 449352 interpreters optional
ruby1.9-elisp_1.9.0.2-9lenny1_all.deb
9bb7a68928048b7688f75c9eedb6a17b 1431978 interpreters optional
ri1.9_1.9.0.2-9lenny1_all.deb
a183ca85e9b28a2655b5cfd5407fcc8c 536898 doc optional
rdoc1.9_1.9.0.2-9lenny1_all.deb
0e46640cd57c61869af57e9313bcce50 474392 interpreters optional
irb1.9_1.9.0.2-9lenny1_all.deb
f66d0514c262e3ae88fa42edc3dd1732 452186 interpreters optional
ruby1.9_1.9.0.2-9lenny1_i386.deb
901952b2e983e310f2592708d2ab7cad 2553242 libs optional
libruby1.9_1.9.0.2-9lenny1_i386.deb
4b26c9cfcc4bd214f9c7ced72c1de45b 2329338 libdevel extra
libruby1.9-dbg_1.9.0.2-9lenny1_i386.deb
00afb0eff2ce23eecb63b8452cdba7f7 1310038 devel optional
ruby1.9-dev_1.9.0.2-9lenny1_i386.deb
bc971a776f87ad0a34fb4f5817546360 435492 interpreters optional
libdbm-ruby1.9_1.9.0.2-9lenny1_i386.deb
1ae9967dfd597ae8aa3b838a3d7e33a7 434844 interpreters optional
libgdbm-ruby1.9_1.9.0.2-9lenny1_i386.deb
a20f5ac6cfb2d2666eba58458a9a854d 435116 interpreters optional
libreadline-ruby1.9_1.9.0.2-9lenny1_i386.deb
862da330e681290fd870b50581454d17 2174782 interpreters optional
libtcltk-ruby1.9_1.9.0.2-9lenny1_i386.deb
795fdc7c12ab66721ae5fc7fc4e5353f 545646 interpreters optional
libopenssl-ruby1.9_1.9.0.2-9lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKgpe6XzkxpuIT8aARAi9dAJ4puxLlgpujO3A3SZsMCRxlcPJs8wCeNPnh
JUoCMvHMmqBUWqpw419/XEI=
=RHvj
-----END PGP SIGNATURE-----
--- End Message ---
