Your message dated Thu, 03 Sep 2020 08:48:32 +0000
with message-id <[email protected]>
and subject line Bug#964274: fixed in ruby-websocket-extensions 0.1.5-1
has caused the Debian Bug report #964274,
regarding ruby-websocket-extensions: CVE-2020-7663
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
964274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964274
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-websocket-extensions
Version: 0.1.2-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for ruby-websocket-extensions.
CVE-2020-7663[0]:
| websocket-extensions ruby module prior to 0.1.5 allows Denial of
| Service (DoS) via Regex Backtracking. The extension parser may take
| quadratic time when parsing a header containing an unclosed string
| parameter value whose content is a repeating two-byte sequence of a
| backslash and some other character. This could be abused by an
| attacker to conduct Regex Denial Of Service (ReDoS) on a single-
| threaded server by providing a malicious payload with the Sec-
| WebSocket-Extensions header.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7663
[1]
https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
[2]
https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-websocket-extensions
Source-Version: 0.1.5-1
Done: Pirate Praveen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-websocket-extensions, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <[email protected]> (supplier of updated
ruby-websocket-extensions package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 03 Sep 2020 13:48:45 +0530
Source: ruby-websocket-extensions
Architecture: source
Version: 0.1.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Pirate Praveen <[email protected]>
Closes: 964274
Changes:
ruby-websocket-extensions (0.1.5-1) unstable; urgency=medium
.
[ Hleb Valoshka ]
* Remove myself from uploaders
.
[ Utkarsh Gupta ]
* Add salsa-ci.yml
.
[ Debian Janitor ]
* Use secure copyright file specification URI.
* Use secure URI in debian/watch.
* Use secure URI in Homepage field.
* Bump debhelper from deprecated 9 to 12.
* Set debhelper-compat version in Build-Depends.
* Update Vcs-* headers from URL redirect.
* Use canonical URL in Vcs-Git.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
.
[ Cédric Boutillier ]
* [ci skip] Update team name
.
[ Pirate Praveen ]
* Bump Standards-Version to 4.5.0 (no changes needed)
* New upstream version 0.1.5 (Closes: #964274) (Fixes: CVE-2020-7663)
* Add myself to uploaders
Checksums-Sha1:
684c3ca4beec94c516d01cfcac0b4c756e8d5a02 2167
ruby-websocket-extensions_0.1.5-1.dsc
38cf01c3e9853d5768ec529a8cf901f7d7b7b352 7157
ruby-websocket-extensions_0.1.5.orig.tar.gz
03b1d878bf25a6ac83ace31f8673a5251bb90c5f 2576
ruby-websocket-extensions_0.1.5-1.debian.tar.xz
eea5acd6c136d195ba3e3c871469522c5d09c3ff 8599
ruby-websocket-extensions_0.1.5-1_amd64.buildinfo
Checksums-Sha256:
44650e4d89732b59c61ae9d5cdd674c0180d874f6d238ce6231cbe4e8d130e87 2167
ruby-websocket-extensions_0.1.5-1.dsc
0b6111d6a8b09fecfdce5ec1966c51a3c6fe80d14c33c12c37b2586a27fb2fff 7157
ruby-websocket-extensions_0.1.5.orig.tar.gz
cc059d729de60fe2cf1cb1462c363429208f3e14ce75a9e251a44c73098c16f2 2576
ruby-websocket-extensions_0.1.5-1.debian.tar.xz
02bab038c6e0e2508b5c89eac2be93d7318c8189b066bb9f23d7b0d0ead3b593 8599
ruby-websocket-extensions_0.1.5-1_amd64.buildinfo
Files:
564521e286b560e9ad9666f97c41b60b 2167 ruby optional
ruby-websocket-extensions_0.1.5-1.dsc
e288a69a9a5cccb74175e2f42cef7449 7157 ruby optional
ruby-websocket-extensions_0.1.5.orig.tar.gz
7d53bd283b0d3d016225b53c62126f9b 2576 ruby optional
ruby-websocket-extensions_0.1.5-1.debian.tar.xz
451328c4ef558c05f2b8e29ac1292309 8599 ruby optional
ruby-websocket-extensions_0.1.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAl9QqB0ACgkQj1PgGTsp
S3VBsg//XuM5inTtltLkcQGiRencH7NV2qLsaWdkfFms33IU5VlVxLIbzlbQqA3B
qizA1fkRgyt0jTSL+nM7AQ5lOUKrSAOCWIyZL4ceRIKHccsq9e3kKQcJCEjbmUpz
IXXXTg8AGzVvF70yG3IZiZYmEgPFw8ydzxi76sG096myDc6MAaKxShvBI4LGCyZM
D84vAL+1WrdKtuiWUvGN0w30w6+ex2TTOH/5p8ywcQU3CLGPlcHr3408jShStxTj
sy0V30iCXRQPoEbJ9T2EFxikQGbZSmeG60o6cEPx/6nZ8QDD7AiFjZitQDIc9Wm7
Q1udxQCoixSRnJPokVa6hWF9+D2EMHnGxkPn7PG7u15J/P03CgEcye7QyUvjplns
37GQ3s4zvWhbI3WsgVgU7rsrD4LXBleskqMYMj/4Oiw0wfWW6ZNpVFeXIYrkzvIE
18Q+kqptOyYHYjl+brWduyqe9zmceZh+LIlggN+E6czey8EZ4Cg0n8vlvhnQm/i0
/GDrh7HbFUeztNXCn4zLFqeqH1H93LIJtMuWPu56oUp+DkgCq87wlzMXKhjHwVU6
WWGuUEWDbqcZLmzIptCfjmfKVEqlhLSgNQT2lNCpURWqLk8+R3HFdLbxk4Swt0gZ
n0JnWPkIOVtEcgQLaMO8n5d9glVlLmeWPk3Fip5t/HQkvHfqizI=
=1Tlp
-----END PGP SIGNATURE-----
--- End Message ---
