Your message dated Tue, 21 May 2019 20:40:24 +0000
with message-id <[email protected]>
and subject line Bug#926348: fixed in ruby-devise 4.5.0-3
has caused the Debian Bug report #926348,
regarding ruby-devise: CVE-2019-5421
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
926348: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926348
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-devise
Version: 4.5.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/plataformatec/devise/issues/4981
Hi,
The following vulnerability was published for ruby-devise.
CVE-2019-5421[0]:
| Plataformatec Devise version 4.5.0 and earlier, using the lockable
| module contains a CWE-367 vulnerability in The
| `Devise::Models::Lockable` class, more specifically at the
| `#increment_failed_attempts` method. File location:
| lib/devise/models/lockable.rb that can result in Multiple concurrent
| requests can prevent an attacker from being blocked on brute force
| attacks. This attack appear to be exploitable via Network connectivity
| - brute force attacks. This vulnerability appears to have been fixed
| in 4.6.0 and later.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-5421
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5421
[1] https://github.com/plataformatec/devise/issues/4981
[2] https://github.com/plataformatec/devise/pull/4996
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-devise
Source-Version: 4.5.0-3
We believe that the bug you reported is fixed in the latest version of
ruby-devise, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated ruby-devise
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 22 May 2019 00:38:15 +0530
Source: ruby-devise
Architecture: source
Version: 4.5.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 926348
Changes:
ruby-devise (4.5.0-3) unstable; urgency=medium
.
* Team upload
* Add patch to fix CVE-2019-5421 (Fixes: CVE-2019-5421) (Closes: #926348)
Checksums-Sha1:
81fed3f15c54cf0b4001af3d4c27a607ce71b3bf 2293 ruby-devise_4.5.0-3.dsc
12798adf678a32bb68d9392201748e00b78d43bf 4232 ruby-devise_4.5.0-3.debian.tar.xz
262ea0a5a661cc679b1b38668bbd7ce081afc21d 13048
ruby-devise_4.5.0-3_amd64.buildinfo
Checksums-Sha256:
205dfac66ba65ddc86d644f954c982af180dac029a382c469b7c5572f997db20 2293
ruby-devise_4.5.0-3.dsc
3bb0e12297c80682db9dfb1e01c7c37593ac13aa7bea27f7e5ea886487e2ae0d 4232
ruby-devise_4.5.0-3.debian.tar.xz
b3bafaf6f05e30f59ff57d00ba58d92c942f59f6ef0f0928964dd0a7f4808249 13048
ruby-devise_4.5.0-3_amd64.buildinfo
Files:
a9fc7ba92b817ebc3e043bc1c400371a 2293 ruby optional ruby-devise_4.5.0-3.dsc
5e509350b8e1402a326ec62c05e2102e 4232 ruby optional
ruby-devise_4.5.0-3.debian.tar.xz
32732634e58b5043aa483a2b3c7e3cbb 13048 ruby optional
ruby-devise_4.5.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCAA5FiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAlzkVXobHGd1cHRhdXRr
YXJzaDIxMDJAZ21haWwuY29tAAoJEII+lnYGw0uWwVYP/AmP8a/GOSfMAo/v3u+X
QsaX5w0VpIbzLXx9kyHrVdvKIWoRVWyyDUOf7aegHRveEnzk2laeMb9YGrwpS3/D
zBDQsuNeIvDghYz40/vIg2pTdZpZgxtjovi16twrSlKP6GJG8jfOGqMZ/rdNsMSz
VyMsNrRR9iJ3we8OMLTGdCSZOPf54qKpsnlBcvjncSjbamzVvq8L1+Kgxc/SmR2x
cNsAO8ri7B4E7a7Dxej+NO3Wy6RECTAd0bN7FBY4SRNaL5PkDNruHlFWTHqUFJwO
TOj1bv5N+mYcFjUxqA+PazJnq5VpNoPuN6/3FWmHE2jHPFU61UAVnyYAKrTGtZqb
L8V0lbzNcUtZ0TgmSEtA03YVT8H5Q1pFaqKV8YbPchhA95rGu42ApUJelRQew9kJ
H8PobwMz6j3/5bgYlb1kEwie5A8OVxAUpJvDunL21EID7x3cT/Ac2a+bv0Obtp8G
pOeiy+oF8HYrJnUUJeQXexYGh6zca5dsTfv8TzTZKegdmgizS3M1XPFOLTJxMx9q
yLZLG1i9sJn96oUt2zUwN6bKT+XLTJtRw9ToZnLXUoutUKM212Yw99c1u+bXNoLj
+nNADh4izG83kEa7kYCvdlXTRPR+qaqTuXWGGSRrLzvCrBijUgcnuktpY/5fNwCR
7dQIRLVkPNW/fcmfHouoAoX7
=TAA/
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
