Your message dated Sat, 25 Aug 2018 12:05:32 +0000 with message-id <e1ftxjs-0009yi...@fasolo.debian.org> and subject line Bug#903980: fixed in ruby-doorkeeper 4.4.2-1 has caused the Debian Bug report #903980, regarding ruby-doorkeeper: CVE-2018-1000211: Public apps can't revoke OAuth access & refresh tokens in Doorkeeper to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 903980: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903980 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-doorkeeper Version: 4.2.0-1 Severity: grave Tags: security upstream Forwarded: https://github.com/doorkeeper-gem/doorkeeper/issues/891 Hi, The following vulnerability was published for ruby-doorkeeper. CVE-2018-1000211[0]: | Doorkeeper version 4.2.0 and later contains a Incorrect Access Control | vulnerability in Token revocation API's authorized method that can | result in Access tokens are not revoked for public OAuth apps, leaking | access until expiry. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1000211 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000211 [1] https://github.com/doorkeeper-gem/doorkeeper/issues/891 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-doorkeeper Source-Version: 4.4.2-1 We believe that the bug you reported is fixed in the latest version of ruby-doorkeeper, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 903...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pirate Praveen <prav...@debian.org> (supplier of updated ruby-doorkeeper package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 25 Aug 2018 17:22:16 +0530 Source: ruby-doorkeeper Binary: ruby-doorkeeper Architecture: source Version: 4.4.2-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Pirate Praveen <prav...@debian.org> Description: ruby-doorkeeper - OAuth 2 provider for Rails and Grape Closes: 903980 Changes: ruby-doorkeeper (4.4.2-1) unstable; urgency=medium . * New upstream version 4.4.2 (Closes: #903980) (Fixes: CVE-2018-1000211, CVE-2018-1000088) * Bump Standards-Version to 4.2.0 (no changes needed) Checksums-Sha1: 0e13999814a960ccc70b72ddb44de777b3f95c52 2110 ruby-doorkeeper_4.4.2-1.dsc 8aa946fc778687ede70bbda5772ce26498bc0e28 117423 ruby-doorkeeper_4.4.2.orig.tar.gz 5f54660d5177bee2ac64243bed64e02b8fe12253 2696 ruby-doorkeeper_4.4.2-1.debian.tar.xz 4ca735e58e2814dada791d18f9cae01fcbc14201 7783 ruby-doorkeeper_4.4.2-1_source.buildinfo Checksums-Sha256: 708debf6a4e83342dc4f39503aa9f0edc4dbe0f3eec6a32886ea34aa87a65779 2110 ruby-doorkeeper_4.4.2-1.dsc fed606a0f01801bca3042c0b546b393c972fd7353785f1798f915e924bca7b99 117423 ruby-doorkeeper_4.4.2.orig.tar.gz 15ac648a3979d592bed6dcaca46186edcdf5fe81f186d9b86475f8573c31b3cc 2696 ruby-doorkeeper_4.4.2-1.debian.tar.xz a0f14aeb00394069231226c98b60058aecf7b39d218a6853a5e63e903ebb13df 7783 ruby-doorkeeper_4.4.2-1_source.buildinfo Files: 8d41947fa5223bb8cf8956dea016e863 2110 ruby optional ruby-doorkeeper_4.4.2-1.dsc 5d6242a2044ee1bd17bb5db5ffe4cb93 117423 ruby optional ruby-doorkeeper_4.4.2.orig.tar.gz b7dee3333fbb4b39e73c74cc78f78d40 2696 ruby optional ruby-doorkeeper_4.4.2-1.debian.tar.xz 45e87db42f4976ba2c8aa6d70deb5d8f 7783 ruby optional ruby-doorkeeper_4.4.2-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAluBRR8ACgkQzh+cZ0US wirOOhAAhGJMnW22eN+ItffQsVdLwTOBvEDeVjuSW6UWeAr9VzwYfip8e4H6vfzs KNgfThLExXcV1G/pgUYERLYlejqVzBBPfDASnc++Ez9PjEct+CrVo1Q7OKX8wiDk FT3fGi7QNhJfHo/pGyyNSEKVErLyUeanmlKxsDa6ctRj2wcxfyDpYN2hykI+JhW1 V07kbVWtR7qayQP59JAwRzY33xh9Be4I6F4/5bFBRhO05kkDeJFx4C09a4qhQ1xw +K9/aaako4Pc8PXe6Yx57nurqajvErkHzn1YjeGL8/TSEKoyeN+KJX/Fi/ul1IPl 4g3bZiZbjqeQFTP4UTwy8qBDOg7k4CES8ZYeaD1RMKIpkV7zh18UgV5h3/oYFWjZ b+TUnX46uDjtZXjIWKKBFgGPzTmpa8yS7FFwAFSbi5f7N3E1dYAV+RC4Tuz6gKal J+RW6x25RvzrwjoTLCSxBOVuXd70dVWeqtWGl++Brd27Q+uFXmB7BSHNhVGRS073 h9Ooap9jF+53PorwMrvTmSKpk+N52IArTvXyUVQmyNdbGxPgRy+kErEm/QPBZRpi 57VzrqndlD7x/Zh4SKbeQeOwXvPFUZF4RK2ljSrzY0JIDhBo6FcGFFEuRb83WBUD H6amYac3YtRBhHsPFzn8OiOapOZZmFD6OsZ6lpxyVbwwdC3lfvU= =jLkB -----END PGP SIGNATURE-----
--- End Message ---
