Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Dear Release Team, ruby-rack-ssl 1.3.2-3 contains a backport of a security fix for CVE-2014-2538 (BTS #742186). Please unblock package ruby-rack-ssl. Debdiff attached. Thanks, Christian unblock ruby-rack-ssl/1.3.2-3
diff -Nru ruby-rack-ssl-1.3.2/debian/changelog ruby-rack-ssl-1.3.2/debian/changelog --- ruby-rack-ssl-1.3.2/debian/changelog 2014-03-29 18:06:59.000000000 +0100 +++ ruby-rack-ssl-1.3.2/debian/changelog 2014-11-30 15:28:01.000000000 +0100 @@ -1,3 +1,13 @@ +ruby-rack-ssl (1.3.2-4) unstable; urgency=medium + + * Team upload. + * Add patch to fix CVE-2014-2538. Our patch is based on + upstream 9d7d7300b907e496db68d89d07fbc2e0df0b487b. + (Closes: #742186) + Thanks to Moritz Muehlenhoff for the pointer. + + -- Christian Hofstaedtler <[email protected]> Sun, 30 Nov 2014 15:24:17 +0100 + ruby-rack-ssl (1.3.2-3) unstable; urgency=medium * Add myself to Uploaders: diff -Nru ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch --- ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch 2014-11-30 15:23:33.000000000 +0100 @@ -0,0 +1,27 @@ +From 9d7d7300b907e496db68d89d07fbc2e0df0b487b Mon Sep 17 00:00:00 2001 +From: Xavier Shay <[email protected]> +Date: Tue, 9 Jul 2013 08:49:27 -0700 +Subject: [PATCH] Handle bad URIs gracefully. + +Some adapters (i.e. jruby-rack) will pass through bad URIs, then display +the resulting exception. This creates an attack vector for XSS attacks. + +[Refreshed for 1.3.x, remove test as 1.3.x has no tests. [email protected].] +--- + lib/rack/ssl.rb | 2 ++ + test/test_ssl.rb | 8 ++++++++ + 2 files changed, 10 insertions(+) + +Index: ruby-rack-ssl/lib/rack/ssl.rb +=================================================================== +--- ruby-rack-ssl.orig/lib/rack/ssl.rb 2014-11-30 15:22:21.088079637 +0100 ++++ ruby-rack-ssl/lib/rack/ssl.rb 2014-11-30 15:23:31.800007708 +0100 +@@ -54,6 +54,8 @@ module Rack + 'Location' => url.to_s) + + [301, headers, []] ++ rescue URI::InvalidURIError ++ [404, {}, []] + end + + # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 diff -Nru ruby-rack-ssl-1.3.2/debian/patches/series ruby-rack-ssl-1.3.2/debian/patches/series --- ruby-rack-ssl-1.3.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ ruby-rack-ssl-1.3.2/debian/patches/series 2014-11-30 15:19:41.000000000 +0100 @@ -0,0 +1 @@ +0001-Handle-bad-URIs-gracefully.patch
