Your message dated Sun, 13 Feb 2022 17:47:08 +0000
with message-id <[email protected]>
and subject line Bug#1002995: fixed in ruby2.7 2.7.4-1+deb11u1
has caused the Debian Bug report #1002995,
regarding ruby3.0: CVE-2021-41816 CVE-2021-41817 CVE-2021-41819
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1002995: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002995
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby3.0
Version: 3.0.2-5
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for ruby3.0, they were
fixed upstream in 3.0.3.
CVE-2021-41816[0]:
| Buffer Overrun in CGI.escape_html
CVE-2021-41817[1]:
| Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS
| (regular expression Denial of Service) via a long string. The fixed
| versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
CVE-2021-41819[2]:
| CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes
| in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41816
[1] https://security-tracker.debian.org/tracker/CVE-2021-41817
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41817
[2] https://security-tracker.debian.org/tracker/CVE-2021-41819
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41819
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby2.7
Source-Version: 2.7.4-1+deb11u1
Done: Utkarsh Gupta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby2.7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated ruby2.7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 27 Jan 2022 21:16:13 +0530
Source: ruby2.7
Architecture: source
Version: 2.7.4-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 1002995
Changes:
ruby2.7 (2.7.4-1+deb11u1) bullseye-security; urgency=high
.
* Add length limit option for methods that parses
date strings. (Fixes: CVE-2021-41817)
* When parsing cookies, only decode the values.
(Fixes: CVE-2021-41819)
* Add patch to fix integer overflow.
(Fixes: CVE-2021-41816) (Closes: #1002995)
Checksums-Sha1:
871ef14fb9d227b05cfc622ac2350cc87819efea 2538 ruby2.7_2.7.4-1+deb11u1.dsc
c3af416830ab3a87ca8b3fdc2b8fc99522baee39 10810480 ruby2.7_2.7.4.orig.tar.xz
40b5f9d71e5fbe7b785575f9dabe9f30e183c798 117148
ruby2.7_2.7.4-1+deb11u1.debian.tar.xz
34b4a2ea6307549b38d17e21a3ce0d17fd3f6919 6538
ruby2.7_2.7.4-1+deb11u1_source.buildinfo
Checksums-Sha256:
4caad4963907b583fc23dedcf7aa13a390968a7a1ece49f433520374c027d8e0 2538
ruby2.7_2.7.4-1+deb11u1.dsc
a42c6089f82d9ab8dad2e72ba5b318f4177ff7bb17a584ae3834521e4f43c9b5 10810480
ruby2.7_2.7.4.orig.tar.xz
083cac247e2427eeb6be84a23938afc087f99abd21140fe9dba6a464a6f8f2c2 117148
ruby2.7_2.7.4-1+deb11u1.debian.tar.xz
9672dc284b6bed0a7052f7533a60639a1cd03f46c395122d70057651b1753fc9 6538
ruby2.7_2.7.4-1+deb11u1_source.buildinfo
Files:
da9d3f0d512c9315f7b3b7e9d4379244 2538 ruby optional ruby2.7_2.7.4-1+deb11u1.dsc
a66187d2e06edf92b45b03a840ba6570 10810480 ruby optional
ruby2.7_2.7.4.orig.tar.xz
3473e8057489d791b8a4af11a7606d50 117148 ruby optional
ruby2.7_2.7.4-1+deb11u1.debian.tar.xz
098f47c3765e2b1b80dd3fcb63ce4df7 6538 ruby optional
ruby2.7_2.7.4-1+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmH5ZUMTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlioDEACLl1SZv3zuvG/wb2uWGn268+FplI97
T3sE5mLzrYEga/K6X3rKJhJWXZxOofxpktFCy2hVHWQuLOtKsLh4cjswCnz+15CN
0TqDTglP4pN6Nbift77YdoFxx5ci/Aed0QwFRrlQjygsbw4dMJLKt8uyAuKTURr2
qNg52eu0DUQPjn2JTStf7vadlkafvAgCIgwfrKefyxxXd5TefJyxqyvJtw6CHRYR
+N3oN0JkpG54ChwlZQ+2yWO80ogRl4XuyP//eJ70S5/seK/oV64O/YuKedqvcICV
CLyGg3hQEHWM97NqxdnDI8BTrvR1Kx2MyKioe82auPFsfWwLmN6xscOtU331yHlq
0cbPliQMwOavgtGu4RZfiSQ8An4OnijSHOduS5FqBGnf+MQBtpW9yL1SYpYKTtD7
esLAVwXWNyv9BnEsR/9ySGj0cCQMFqutdYFv/t/TABZQMtAX6YfL5heRoQxB6V6u
doA2b5pkZaZ+Y6cEGR+QJwy9GTWa06MSI7sS98sYEnZPVB+phRWwZg5piTP0nq4X
80SHaKaJPoolR7afVzFeEP7m3x204ZSdNjzXriOLK79qxF+M6SzbV57CsJGMHGMa
8Gb33xPR4r42ss6scvDHYl4aTW5+/w0F4fFwS7h4ZvREMHPyK9PtZDNBAEugIUet
6WyrPc3cuaZNbA==
=ldkR
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
