Your message dated Sat, 15 Feb 2020 12:34:27 +0000
with message-id <[email protected]>
and subject line Bug#944849: fixed in ruby-rack-cors 1.1.1-1
has caused the Debian Bug report #944849,
regarding ruby-rack-cors: CVE-2019-18978
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
944849: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944849
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-rack-cors
Version: 1.0.2-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for ruby-rack-cors.
CVE-2019-18978[0]:
| An issue was discovered in the rack-cors (aka Rack CORS Middleware)
| gem before 1.0.4 for Ruby. It allows ../ directory traversal to access
| private resources because resource matching does not ensure that
| pathnames are in a canonical format.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-18978
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18978
[1]
https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-rack-cors
Source-Version: 1.1.1-1
Done: Pirate Praveen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-rack-cors, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <[email protected]> (supplier of updated ruby-rack-cors package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 15 Feb 2020 13:03:39 +0100
Source: ruby-rack-cors
Architecture: source
Version: 1.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Pirate Praveen <[email protected]>
Closes: 944849
Changes:
ruby-rack-cors (1.1.1-1) unstable; urgency=medium
.
[ Utkarsh Gupta ]
* Add salsa-ci.yml
.
[ Pirate Praveen ]
* New upstream version 1.1.1 (Closes: #944849) (Fixes: CVE-2019-18978)
* Bump Standards-Version to 4.5.0 (no changes needed)
* Drop compat file, rely on debhelper-compat and bump compat level to 12
Checksums-Sha1:
2635f8a931bc7908a2bfb5651c95da33b8cf6848 2088 ruby-rack-cors_1.1.1-1.dsc
e82014fcd24e82f6661ab3d641987659e12b2be2 49925 ruby-rack-cors_1.1.1.orig.tar.gz
268101d20048298f9e74470482ab86e42c47e5c1 2820
ruby-rack-cors_1.1.1-1.debian.tar.xz
4f308b91f0d68346b8370745c9d0eaa34c169e24 13637
ruby-rack-cors_1.1.1-1_source.buildinfo
Checksums-Sha256:
2180a83dcb3dff289677ca0964c7762f59392d81209f59322802cefde616bfe1 2088
ruby-rack-cors_1.1.1-1.dsc
1f96f5fbc5ad25e3a007aa62fadcd148e5cd2322c0e306a5afe82a05d9a3b602 49925
ruby-rack-cors_1.1.1.orig.tar.gz
38cdc74294bbdba87ba012c5c0f458bdef950237af30ec100bdb118c455c8be6 2820
ruby-rack-cors_1.1.1-1.debian.tar.xz
00320fcacf4d6ed90b9f9ef2fdd82e4208539cafacca146ec456d12a5687e063 13637
ruby-rack-cors_1.1.1-1_source.buildinfo
Files:
e73dd23a0a24de840308f617c75865b5 2088 ruby optional ruby-rack-cors_1.1.1-1.dsc
c220a88dce97e78b9523d0709df422ae 49925 ruby optional
ruby-rack-cors_1.1.1.orig.tar.gz
1927f1f36d65742deaad1e44f1b2278c 2820 ruby optional
ruby-rack-cors_1.1.1-1.debian.tar.xz
73dc961d8e8a54ad42e15cd468ac0a37 13637 ruby optional
ruby-rack-cors_1.1.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAl5H4CgACgkQj1PgGTsp
S3WyEg//W8gkUYiiPsreU1bbq7r5XvpUTv3rNjtNbElKrJEn2APqN0UBncVSbcSN
AEbIZuKRDgfoK7JW3HsNj9w2uy/gRjy6oGB3ELcDnwI1liQdkhOkn3K9NPRZSMhw
XdWbI5SCVdHSyxdP+wxTIiJp7BFeybgIEThFRxsr13AvLdrjjhlWY7r69Ibo+fa4
yezdfv0vTbK3x8OkMOW9jeMFb6ouGTLTCu6sgiQziolV/ILdYR0Cc3wYTCxn4W2g
OfEW2dgfQcvZ05banxLt07kPYf9s0x0XW+Lfr7A7eQkNbQkytj9ysMgGUUGIzHJE
At6aNsvwsxmLFmot+egq0X+zyAL30EWj0p3NIXe/O5XYzGmtQWaFItu8U5pNpqSS
Z0vIMIItGD7u2ch3khwK12ogSjD+FgXoWLU6hGvM9omGNdvZnnPrLSnsK021lbso
JeBiZhiIfjmBxp6MBcp9bKQSB51Imnp+qAtE/nljIgQLXuSgaA7wG+/mKtCQD5wh
8c0RWL8Z0u/HSESGsx5fFGPiYSjE30HMzVgQe9jIFfg24+ULnGdoph3m3DXlv/tT
uDzU6yFKHRLZECkwGk/++d5rz8ze1U4xnSC6y7l1ufW25BdLldQ5GaPe/a6kQbOm
0lN7vLdlkRChWMnqFyx4rfuOV9bFacO5bh5nRKu4C7Bqdb5M30A=
=7A4y
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
