Your message dated Sun, 30 Nov 2014 15:46:34 +0000
with message-id <[email protected]>
and subject line Re: Bug#771543: unblock: ruby-rack-ssl/1.3.2-3
has caused the Debian Bug report #771543,
regarding unblock: ruby-rack-ssl/1.3.2-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
771543: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771543
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Dear Release Team,
ruby-rack-ssl 1.3.2-3 contains a backport of a security fix for
CVE-2014-2538 (BTS #742186).
Please unblock package ruby-rack-ssl. Debdiff attached.
Thanks,
Christian
unblock ruby-rack-ssl/1.3.2-3
diff -Nru ruby-rack-ssl-1.3.2/debian/changelog
ruby-rack-ssl-1.3.2/debian/changelog
--- ruby-rack-ssl-1.3.2/debian/changelog 2014-03-29 18:06:59.000000000
+0100
+++ ruby-rack-ssl-1.3.2/debian/changelog 2014-11-30 15:28:01.000000000
+0100
@@ -1,3 +1,13 @@
+ruby-rack-ssl (1.3.2-4) unstable; urgency=medium
+
+ * Team upload.
+ * Add patch to fix CVE-2014-2538. Our patch is based on
+ upstream 9d7d7300b907e496db68d89d07fbc2e0df0b487b.
+ (Closes: #742186)
+ Thanks to Moritz Muehlenhoff for the pointer.
+
+ -- Christian Hofstaedtler <[email protected]> Sun, 30 Nov 2014 15:24:17 +0100
+
ruby-rack-ssl (1.3.2-3) unstable; urgency=medium
* Add myself to Uploaders:
diff -Nru
ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch
ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch
--- ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch
1970-01-01 01:00:00.000000000 +0100
+++ ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch
2014-11-30 15:23:33.000000000 +0100
@@ -0,0 +1,27 @@
+From 9d7d7300b907e496db68d89d07fbc2e0df0b487b Mon Sep 17 00:00:00 2001
+From: Xavier Shay <[email protected]>
+Date: Tue, 9 Jul 2013 08:49:27 -0700
+Subject: [PATCH] Handle bad URIs gracefully.
+
+Some adapters (i.e. jruby-rack) will pass through bad URIs, then display
+the resulting exception. This creates an attack vector for XSS attacks.
+
+[Refreshed for 1.3.x, remove test as 1.3.x has no tests. [email protected].]
+---
+ lib/rack/ssl.rb | 2 ++
+ test/test_ssl.rb | 8 ++++++++
+ 2 files changed, 10 insertions(+)
+
+Index: ruby-rack-ssl/lib/rack/ssl.rb
+===================================================================
+--- ruby-rack-ssl.orig/lib/rack/ssl.rb 2014-11-30 15:22:21.088079637 +0100
++++ ruby-rack-ssl/lib/rack/ssl.rb 2014-11-30 15:23:31.800007708 +0100
+@@ -54,6 +54,8 @@ module Rack
+ 'Location' => url.to_s)
+
+ [301, headers, []]
++ rescue URI::InvalidURIError
++ [404, {}, []]
+ end
+
+ # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
diff -Nru ruby-rack-ssl-1.3.2/debian/patches/series
ruby-rack-ssl-1.3.2/debian/patches/series
--- ruby-rack-ssl-1.3.2/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ ruby-rack-ssl-1.3.2/debian/patches/series 2014-11-30 15:19:41.000000000
+0100
@@ -0,0 +1 @@
+0001-Handle-bad-URIs-gracefully.patch
--- End Message ---
--- Begin Message ---
On Sun, 2014-11-30 at 16:33 +0100, Christian Hofstaedtler wrote:
> ruby-rack-ssl 1.3.2-3 contains a backport of a security fix for
> CVE-2014-2538 (BTS #742186).
>
> Please unblock package ruby-rack-ssl. Debdiff attached.
Unblocked.
Regards,
Adam
--- End Message ---
