Your message dated Thu, 05 May 2022 19:05:36 +0000
with message-id <[email protected]>
and subject line Bug#1009787: fixed in ruby-nokogiri 1.13.5+dfsg-1
has caused the Debian Bug report #1009787,
regarding ruby-nokogiri: CVE-2022-24836: Inefficient Regular Expression 
Complexity
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1009787: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009787
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-nokogiri
Version: 1.13.1+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for ruby-nokogiri.

CVE-2022-24836[0]:
| Nokogiri is an open source XML and HTML library for Ruby. Nokogiri
| `&lt; v1.13.4` contains an inefficient regular expression that is
| susceptible to excessive backtracking when attempting to detect
| encoding in HTML documents. Users are advised to upgrade to Nokogiri
| `&gt;= 1.13.4`. There are no known workarounds for this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-24836
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24836
[1] 
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
[2] 
https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: ruby-nokogiri
Source-Version: 1.13.5+dfsg-1
Done: Cédric Boutillier <[email protected]>

We believe that the bug you reported is fixed in the latest version of
ruby-nokogiri, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cédric Boutillier <[email protected]> (supplier of updated ruby-nokogiri 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 May 2022 14:04:16 +0200
Source: ruby-nokogiri
Architecture: source
Version: 1.13.5+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team 
<[email protected]>
Changed-By: Cédric Boutillier <[email protected]>
Closes: 1009787
Changes:
 ruby-nokogiri (1.13.5+dfsg-1) unstable; urgency=medium
 .
   * New upstream version 1.13.5+dfsg
     + fixes CVE-2022-24836: Inefficient Regular Expression Complexity
       (Closes: #1009787)
   * Refresh 0005-Remove-unnecessary-development-dependencies.patch
   * Bump version build-dependency on ruby-mini-portile2
   * Update years in copyright file
Checksums-Sha1:
 d138073c9d7d00207628fd553450080d46253c73 1810 ruby-nokogiri_1.13.5+dfsg-1.dsc
 c251ce92ad8a766f75890091974afdc6a30e1d2d 713052 
ruby-nokogiri_1.13.5+dfsg.orig.tar.xz
 b7454c9d4d4d889652ee66e3f118eaefc0074cf4 11608 
ruby-nokogiri_1.13.5+dfsg-1.debian.tar.xz
 40daf81932fdfe471f966ae1a8c4dbc60c135c3e 10133 
ruby-nokogiri_1.13.5+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 ba8668d8934fa8cc4a869b2ebc51c84c29458d73198b7d267470f3ee14832aaa 1810 
ruby-nokogiri_1.13.5+dfsg-1.dsc
 25e579e6ae745957a8250999021111d3ff2c8aebc49a32a7a5733280494adfa8 713052 
ruby-nokogiri_1.13.5+dfsg.orig.tar.xz
 864f8bc236fc41acdc3c04e22335fb9678011cf5f03a161230b11811a7b61a13 11608 
ruby-nokogiri_1.13.5+dfsg-1.debian.tar.xz
 6ebbd0e61921ab9d79ddda72f1181908c4c5b3539a1ade0fa9590ee2971217d6 10133 
ruby-nokogiri_1.13.5+dfsg-1_amd64.buildinfo
Files:
 41392bdb7410b4f3c11aeba63a72327a 1810 ruby optional 
ruby-nokogiri_1.13.5+dfsg-1.dsc
 f98186f02d19f615cf11e8a1ecb8b952 713052 ruby optional 
ruby-nokogiri_1.13.5+dfsg.orig.tar.xz
 66c7262ef0ac9a9816952900a33bd9d5 11608 ruby optional 
ruby-nokogiri_1.13.5+dfsg-1.debian.tar.xz
 9d06c1559917f60c3e16ad9ae299e286 10133 ruby optional 
ruby-nokogiri_1.13.5+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSEz/3CFSD4gwbsKdFSaZq2P58rwwUCYnQWKwAKCRBSaZq2P58r
wxATAQCOfk4d/Nca/wcqgbxgmiC0AaPT9PmHV4tT4zZUyYm7UQD+NwKs0AHaem2t
sMxXbMWiKCS8r8jiNY+bLeEAV9UWvQI=
=mHqa
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

Reply via email to