Your message dated Tue, 13 Sep 2022 08:49:22 +0000
with message-id <[email protected]>
and subject line Bug#1014809: fixed in ruby-mechanize 2.8.5-1
has caused the Debian Bug report #1014809,
regarding ruby-mechanize: CVE-2022-31033
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014809: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014809
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-mechanize
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for ruby-mechanize.
CVE-2022-31033[0]:
| The Mechanize library is used for automating interaction with
| websites. Mechanize automatically stores and sends cookies, follows
| redirects, and can follow links and submit forms. In versions prior to
| 2.8.5 the Authorization header is leaked after a redirect to a
| different port on the same site. Users are advised to upgrade to
| Mechanize v2.8.5 or later. There are no known workarounds for this
| issue.
https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9
Prerequisite to clear credential headers when redirecting to cross site
https://github.com/sparklemotion/mechanize/commit/17e5381032c90caf240ac3d2e52b353f40c18d83
(v2.8.0)
Fixed by:
https://github.com/sparklemotion/mechanize/commit/907c778001625cb9daa686d5019c939cb416e45b
(v2.8.5)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31033
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31033
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ruby-mechanize
Source-Version: 2.8.5-1
Done: Unit 193 <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-mechanize, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Unit 193 <[email protected]> (supplier of updated ruby-mechanize package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Tue, 13 Sep 2022 04:25:14 -0400
Source: ruby-mechanize
Architecture: source
Version: 2.8.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Unit 193 <[email protected]>
Closes: 1014809 1019636
Changes:
ruby-mechanize (2.8.5-1) unstable; urgency=medium
.
[ Utkarsh Gupta ]
* New upstream version 2.8.5. (Closes: #1014809) (Fixes: CVE-2022-31033)
- Fix tests on Ruby 3.1 (Closes: #1019636)
* Refresh d/patches.
* Drop patches that has been merged upstream.
* d/control: Add ruby-addressable as a dependency.
* d/control: Specify minimum version of ruby-net-http-digest-auth.
.
[ Unit 193 ]
* d/p/avoid-git.patch: Add patch to avoid calling `git` in gemspec.
* d/ruby-mechanize.docs, d/rules:
- Follow renames, README.(rdoc → md), CHANGELOG.(rdoc → md).
* d/rules: Set LC_ALL to C.UTF-8 to appease tests.
* d/control: R³: no
* Update Standards-Version to 4.6.1.
Checksums-Sha1:
d65758f3de1a6e929df8428e1023b7e7a19eb803 2294 ruby-mechanize_2.8.5-1.dsc
57e36f9ace03fa4d6c49d25c2e350e38afdc9f59 139774
ruby-mechanize_2.8.5.orig.tar.gz
0b53e5b5db85ebf5b4ef58bd3572af153c08fa68 7248
ruby-mechanize_2.8.5-1.debian.tar.xz
81b9e979718d79a98099134b3a9849f6e4fd9ec4 9659
ruby-mechanize_2.8.5-1_amd64.buildinfo
Checksums-Sha256:
b9d75d5fa82156f9c37d39b18ff540582b8a06db0fe77b542ab57bfedaf6d34e 2294
ruby-mechanize_2.8.5-1.dsc
0a7be0b132deeb8d8555a5e5058656fc6eabbd8ae1915a014af17c89d1f333ba 139774
ruby-mechanize_2.8.5.orig.tar.gz
1b9ed3eee69c5490e8afd8e79ad849a1fe0e72d45b23edd693b38a66cae2a362 7248
ruby-mechanize_2.8.5-1.debian.tar.xz
9e661e5ea9c5f1afdb26149f605ef62842e88b2afe0bad38ab23a12a0db71d89 9659
ruby-mechanize_2.8.5-1_amd64.buildinfo
Files:
9d6488ebb1de7a33258fd889d9542f92 2294 ruby optional ruby-mechanize_2.8.5-1.dsc
26f2239c0f24326836d168d4a8f94053 139774 ruby optional
ruby-mechanize_2.8.5.orig.tar.gz
6a4832a15e32b576683b9ef3b8abf056 7248 ruby optional
ruby-mechanize_2.8.5-1.debian.tar.xz
58ffcccf8ff8213dca3e4900cc0ef5df 9659 ruby optional
ruby-mechanize_2.8.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCQAdFiEEjbPlhoZdK0orGFpcUAHhsJqjdEsFAmMgQFgACgkQUAHhsJqj
dEuGeQ/7Bqr9apQYFGmHbz6ZKYwz/6dKieRbdYYji9JLqDYrr8W27u081T/j368N
m1UDUDhX6xwG7SG3atcHIWyEAQUAsvW2Tvyi8ezFiZC21AFE0XjVrRhli8kDZnY9
oLnl0wceGBox8uCK7/UsEEyBNbPpfUoa4OvLPMv/ggMvhxFEEhh1zIRh/UH8gfwr
ADb+W2whVkcAPrVC8qnH9suQrTGFf/ns0WU/FShsdYkbF9gQQOEoh3NyUmRgKVWj
uGQrISJ5EdcfPBOwgBlebMlpRbWBd2XdlVLWM0UdVYstxnkfbbOkcfip33dvaLrb
r6mPPl4dYTSNsNoAE9oxJJ8OAQqYj56Kn5QYFgW4u1JTvtxAk7KZSf9qjIbdS7HL
2gmFn6F07PuBsVswIxWG22edNkFaj2EuGrmkUJskcGOog6Pktq2ClyK/VCskDXmI
kTi6In498OSvwKjPA4b0a19AREzIG1q3+WuyhofwM73i2LM8jgRkQOzEyeYqipuY
LotGSg8fgYz4uB+8jxGXv2jHSpX9F/cBsFLhGWEtjkuHfR6LZzu0RBKJwcnKogW8
sGtcTtfhwpiURaet1uyBBH4rfUz+Zbth3KnaWff9ic0qeuUu9ujHKtH+etHZrF7k
yOfaXFj3pIensy6LjB+TPe9X8+TBtnpByt/B2LANrAz0qZg4mE8=
=Ms57
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
