Your message dated Sat, 18 Jan 2020 20:53:17 +0000
with message-id <[email protected]>
and subject line Bug#946904: fixed in ruby-excon 0.60.0-2
has caused the Debian Bug report #946904,
regarding ruby-excon: CVE-2019-16779
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946904: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946904
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-excon
Version: 0.60.0-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for ruby-excon.
CVE-2019-16779[0]:
| In RubyGem excon before 0.71.0, there was a race condition around
| persistent connections, where a connection which is interrupted (such
| as by a timeout) would leave data on the socket. Subsequent requests
| would then read this data, returning content from the previous
| response. The race condition window appears to be short, and it would
| be difficult to purposefully exploit this.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16779
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16779
[1] https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9
[2]
https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-excon
Source-Version: 0.60.0-2
We believe that the bug you reported is fixed in the latest version of
ruby-excon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated ruby-excon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 19 Jan 2020 01:47:37 +0530
Source: ruby-excon
Architecture: source
Version: 0.60.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 946904
Changes:
ruby-excon (0.60.0-2) unstable; urgency=medium
.
* Add patch to fix leftover data with interrupted persistent
connections. (Fixes: CVE-2019-19779) (Closes: #946904)
* Add patch to update expired certs
* Refresh d/patches
* Fix package wrt cme
* Add salsa-ci.yml
* Move debian/watch to gemwatch.debian.net
Checksums-Sha1:
d1a187e3949e5cd24f50fb512f8359e24cba8cfa 2235 ruby-excon_0.60.0-2.dsc
40951717d6b8b06e8389df77cf4a10e1f78cd7de 72048
ruby-excon_0.60.0-2.debian.tar.xz
ef263b00785918540ea36bed726d316ed53caaee 9766
ruby-excon_0.60.0-2_amd64.buildinfo
Checksums-Sha256:
d685d0ab9b41c7a994e8a4039004318d70606ce860034d46894723f85d069887 2235
ruby-excon_0.60.0-2.dsc
4b7d5959a38012463e67fc4ed331da35b6fe0f4812c336975202a01f9bf63b61 72048
ruby-excon_0.60.0-2.debian.tar.xz
76d003f09b93b37cac1e40e07828248944cb9fda27b190c917b2af8ebf2a77c1 9766
ruby-excon_0.60.0-2_amd64.buildinfo
Files:
c3660767ddf6dd019f41f5cb44d287f4 2235 ruby optional ruby-excon_0.60.0-2.dsc
41dfff04ad7a258bb58258f8ccfaa45b 72048 ruby optional
ruby-excon_0.60.0-2.debian.tar.xz
89d00401df284c381751f1e4c0541371 9766 ruby optional
ruby-excon_0.60.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl4jaO8THHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLllzQEADY5Q9n9MlA2W1ThTjRKXBCTs/h/BgP
agFgnqNPdeN7P6nQewYY9Xu1XzpdksJvYSloYxs85/EfINrsvseNTDNQHsu1yn5P
Fz/YMV07kyh67EQ3f5gWfcIaPeI/Xe++kFYuffIRtBrA35uUXCoIJgJ62ZCrMTGi
m4qPzd9g2dtwHsBC2uGKV8AAsGcj4a9/5eJ7w5gBiE8pycD+jRC3B26BkF4svgwi
xCFogaDWLnwmFZafrqfcdSuq/qeC8AAdpOyBBkJVlMz9rQk39AxXxDtEBR6WJuoo
GVv9MW9PYmYf+/PaCbgtWoejWOoTiyC8xIS137GADcgHY+pFb1UYqktIOJLaHmed
j3NMhNyh90k5dRD7tBDPZXPbnmDUCkC/5QjGIBngBVnIc8jawDA81aR/10rpbg9T
TYnlGCycI2aBhTwnJ4d6fdeqBRYn5Zz2QkECGr6g1+9VsrhD+y2QJn35YCS7bPgR
48VBIozP5lvxKEk/PPAq6wbiTG0Soc4+KzgEcJu7Kdu3x7UN4H/fnKPpuiLUkIwu
X9COYW/UDYLGXkJvWoOlof/XGpVYGAPb/4Y3wRfrX04Zt9nBMgAQtq/g2Q9VHzWr
442JyYQu9IZmdYKNGwV9NH7e75QbFgjlNycqxNejCj09eHeuaUph+aeh5KTajFUK
GGj821iBe5DQ4g==
=gCg8
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
