Bug#868572: marked as done (ruby-mixlib-archive: CVE-2017-1000026)

[Debian Bug Tracking System]

Your message dated Fri, 21 Jul 2017 12:21:27 +0000
with message-id <e1dywvv-0008gr...@fasolo.debian.org>
and subject line Bug#868572: fixed in ruby-mixlib-archive 0.4.1-1
has caused the Debian Bug report #868572,
regarding ruby-mixlib-archive: CVE-2017-1000026
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
868572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868572
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: ruby-mixlib-archive
Version: 0.2.0-1
Severity: important
Tags: upstream patch security fixed-upstream
Forwarded: https://github.com/chef/mixlib-archive/pull/6

Hi,

the following vulnerability was published for ruby-mixlib-archive.

CVE-2017-1000026[0]:
| Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable
| to a directory traversal attack allowing attackers to overwrite
| arbitrary files by using ".." in tar archive entries

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1000026
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000026
[1] https://github.com/chef/mixlib-archive/pull/6

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: ruby-mixlib-archive
Source-Version: 0.4.1-1

We believe that the bug you reported is fixed in the latest version of
ruby-mixlib-archive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lucas Kanashiro <kanash...@debian.org> (supplier of updated ruby-mixlib-archive 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 21 Jul 2017 07:57:55 -0300
Source: ruby-mixlib-archive
Binary: ruby-mixlib-archive
Architecture: source
Version: 0.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Lucas Kanashiro <kanash...@debian.org>
Description:
 ruby-mixlib-archive - simple interface to various archive formats
Closes: 868572
Changes:
 ruby-mixlib-archive (0.4.1-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 0.4.1: fixes CVE-2017-1000026 (Closes: #868572)
   * Bump debhelper compatibility level to 10
   * Declare compliance with Debian Policy 4.0.0
Checksums-Sha1:
 26a021801559286b85cd98bf41b108021a0cd8a3 2136 ruby-mixlib-archive_0.4.1-1.dsc
 b7ee15f315f742f306bf5329b6f72324965a7e62 9258 
ruby-mixlib-archive_0.4.1.orig.tar.gz
 0616021ead77d0849af6e0c2d38cdaf444c62da1 2192 
ruby-mixlib-archive_0.4.1-1.debian.tar.xz
 08216f17399ee4dc0072471dd32f6713a3f693f5 6704 
ruby-mixlib-archive_0.4.1-1_amd64.buildinfo
Checksums-Sha256:
 df473b019c62a08ee572bf450214e578cfacf995bc71f7a0e938072e84583f59 2136 
ruby-mixlib-archive_0.4.1-1.dsc
 de2259d8a81c26606e568470fe3fcf75b195877fbfdbad34d9ef1cd0c95d9c49 9258 
ruby-mixlib-archive_0.4.1.orig.tar.gz
 7b18f53ae79c1f6e475a2e19f4fcd4df7a56d9f903eee6acd3dfa0dd4aca44e5 2192 
ruby-mixlib-archive_0.4.1-1.debian.tar.xz
 26728617c923ea5c95eb935d0f5c200dcbd9f60be9138d0da780ad8d9d43d571 6704 
ruby-mixlib-archive_0.4.1-1_amd64.buildinfo
Files:
 f6d0362669aa8fda0a4aaa830026d465 2136 ruby optional 
ruby-mixlib-archive_0.4.1-1.dsc
 ed20531e8727486f451adaeb41ae61d9 9258 ruby optional 
ruby-mixlib-archive_0.4.1.orig.tar.gz
 f456dff969cf05f7f5fac4af354a748f 2192 ruby optional 
ruby-mixlib-archive_0.4.1-1.debian.tar.xz
 092fa8daacec2fa4e0520e1be467785d 6704 ruby optional 
ruby-mixlib-archive_0.4.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAllx6zQACgkQ+COicpiD
yXy2bw/9HUQg3No8Cmp7CKrA07NIMJLeOProre6/4iljJbnHBrMjgwk0ugLOFr6y
Xui3+JEn4J8GNfz/sH/zsCYg/ijomLyMjtlZVfXRzZwoSRBa0g69+z7ENfe7rxHz
FJAsbccMe52ek4envJ/ASpZEkiH/eapN1OuTOzsTaPh2dHmaFuEUEQ/31gvt4xqd
OYuXP3bmOCSJyMJudrzQvHE7sHdXvg/GExFJhrn1c02RbxYeFhbAilYbbilGIf89
b4IhXgrXbRThrleGKzFsiuiYy3wdU4rv43EXDYq+A66Cmxd+sMzdjb2rSokANs9h
uG0MGryRgRjp8xNk/euecbm/N/0qhJau04MP5XZUbewcn3UKdloBp3+HUIF4u6mK
QvzK2qxRCHGz8jlRoS9dBgdX14OmXm68+zX0pchx9TR0mB1gz0ggSN5MM6/VD0a7
TrWFCfapu9E5GLni4Z2rpwRXpgLyjtWa/b0pI9DzFymq9cXxEPevqXaHNsq7U2iK
q5r0Uhhs9HwffmYlxJHXMSZdri4QNyZBpuXe7vbLun3Nq7lgMLxB/NM63EFpcuD8
//Y9dijlqB54OZCVRmclrKIlM4dfj+Q+lRR0vMXlOTracopqq0r7QxCJZ0nQ49xP
t1PIFd5/g1/QNjvOIB2ojAQ11cZE8h/E4YY+fFEJ4TD68YyUymY=
=93t9
-----END PGP SIGNATURE-----

--- End Message ---