Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <[email protected]>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805260,
regarding jessie-pu: package ruby-bson/1.10.0-1+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
805260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805260
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hi,
Please accept the fixes for CVE-2015-4410 in ruby-bson. I already discussed
with the security team (tagged as no-dsa).
Source debdiff attached.
https://security-tracker.debian.org/CVE-2015-4410
Regards,
Prach
diff -Nru ruby-bson-1.10.0/debian/changelog ruby-bson-1.10.0/debian/changelog
--- ruby-bson-1.10.0/debian/changelog 2014-05-15 12:00:35.000000000 +0700
+++ ruby-bson-1.10.0/debian/changelog 2015-11-16 08:59:15.000000000 +0700
@@ -1,3 +1,9 @@
+ruby-bson (1.10.0-1+deb8u1) jessie; urgency=medium
+
+ * Fix CVE-2015-4410: DoS and possible injection (Closes: #787951)
+
+ -- Prach Pongpanich <[email protected]> Mon, 16 Nov 2015 08:55:51 +0700
+
ruby-bson (1.10.0-1) unstable; urgency=medium
[ Cédric Boutillier ]
diff -Nru ruby-bson-1.10.0/debian/gbp.conf ruby-bson-1.10.0/debian/gbp.conf
--- ruby-bson-1.10.0/debian/gbp.conf 1970-01-01 07:00:00.000000000 +0700
+++ ruby-bson-1.10.0/debian/gbp.conf 2015-11-16 08:59:15.000000000 +0700
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/jessie
diff -Nru ruby-bson-1.10.0/debian/patches/series ruby-bson-1.10.0/debian/patches/series
--- ruby-bson-1.10.0/debian/patches/series 2014-05-15 12:00:35.000000000 +0700
+++ ruby-bson-1.10.0/debian/patches/series 2015-11-15 00:59:01.000000000 +0700
@@ -4,3 +4,4 @@
#change_require_activesupport.patch
#add_to_bson_code.patch
remove_rubygems_from_bins.patch
+Update_BSON_ObjectId_validation.patch
diff -Nru ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch
--- ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch 1970-01-01 07:00:00.000000000 +0700
+++ ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch 2015-11-15 00:59:01.000000000 +0700
@@ -0,0 +1,18 @@
+From bb544c2f6fd62940f04ddc1abeeaa3f23c1a9ade Mon Sep 17 00:00:00 2001
+From: Emily Stolfo <[email protected]>
+Date: Thu, 4 Jun 2015 11:19:36 -0400
+Subject: [PATCH] RUBY-941 Update BSON ObjectId validation
+
+diff --git a/lib/bson/types/object_id.rb b/lib/bson/types/object_id.rb
+index 5de7f66..6e44efa 100644
+--- a/lib/bson/types/object_id.rb
++++ b/lib/bson/types/object_id.rb
+@@ -51,7 +51,7 @@ def initialize(data=nil, time=nil)
+ #
+ # @return [Boolean]
+ def self.legal?(str)
+- str =~ /^[0-9a-f]{24}$/i ? true : false
++ str =~ /\A[0-9a-f]{24}\z/i ? true : false
+ end
+
+ # Create an object id from the given time. This is useful for doing range
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 8.3
Hi,
The updates referred to in these bugs were included in today's 8.3
Jessie point release.
Regards,
Adam
--- End Message ---
