Your message dated Wed, 25 Jan 2023 05:05:08 +0000
with message-id <[email protected]>
and subject line Bug#1009926: fixed in ruby-git 1.13.1-1
has caused the Debian Bug report #1009926,
regarding ruby-git: CVE-2022-25648
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1009926: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009926
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-git
Version: 1.9.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/ruby-git/ruby-git/pull/569
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-git.
CVE-2022-25648[0]:
| The package git before 1.11.0 are vulnerable to Command Injection via
| git argument injection. When calling the fetch(remote = 'origin', opts
| = {}) function, the remote parameter is passed to the git fetch
| subcommand in a way that additional flags can be set. The additional
| flags can be used to perform a command injection.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-25648
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25648
[1] https://github.com/ruby-git/ruby-git/pull/569
[2] https://security.snyk.io/vuln/SNYK-RUBY-GIT-2421270
[3]
https://github.com/ruby-git/ruby-git/commit/291ca0946bec7164b90ad5c572ac147f512c7159
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-git
Source-Version: 1.13.1-1
Done: Daniel Leidert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-git, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <[email protected]> (supplier of updated ruby-git package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 25 Jan 2023 05:32:52 +0100
Source: ruby-git
Architecture: source
Version: 1.13.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Daniel Leidert <[email protected]>
Closes: 1009926
Changes:
ruby-git (1.13.1-1) unstable; urgency=medium
.
* Team upload.
* New upstream release.
- Fixes CVE-2022-25648 (closes: #1009926).
- Fixes CVE-2022-46648.
- Fixes CVE-2022-47318.
.
[ Debian Janitor ]
* Bump debhelper from old 12 to 13.
.
[ Daniel Leidert ]
* d/control (Build-Depends): Add ruby-addressable.
(Standards-Version): Bump to 4.6.2.
* d/copyright (Copyright): Update years.
* d/watch: Get tarballs from tags page to fix downloads.
* d/patches/fix-test.patch: Drop patch (applied upstream).
* d/upstream/metadata: Fix URLs and use HTTPS.
Checksums-Sha1:
6e1f0f878ec09b33561714d5169115c91674312c 2117 ruby-git_1.13.1-1.dsc
a68b7634000396f1027d0e58dfe16c50d192b738 219640 ruby-git_1.13.1.orig.tar.gz
7d5d16e096e389316b1eb0a81f072e49ae2e669c 4424 ruby-git_1.13.1-1.debian.tar.xz
8976c9509bdb293b6de04140c350ce8a33967083 9750 ruby-git_1.13.1-1_amd64.buildinfo
Checksums-Sha256:
5df55eedb59a2eb4a73ecee4628b58cb8c66136cf5352e789b2776fe9953f12b 2117
ruby-git_1.13.1-1.dsc
20981b8ec938a50280a9fe4cca55b2d59b58e46a7b80430a65579ae6c94c33cc 219640
ruby-git_1.13.1.orig.tar.gz
c52df2da21035a72492c2fab048936e110a852ef0682302f41d3c7da55defb39 4424
ruby-git_1.13.1-1.debian.tar.xz
b0ca323f3792bda2edde89456707783cbb18dffd2d9c8acf8bb8b18bb507a98b 9750
ruby-git_1.13.1-1_amd64.buildinfo
Files:
f9b8c94a1abc93029d1da5a5d9be5ea0 2117 ruby optional ruby-git_1.13.1-1.dsc
f39ff78ee85dd3fdfe134f27d1292b9e 219640 ruby optional
ruby-git_1.13.1.orig.tar.gz
e000436b9de866845dd3dc4465763f0c 4424 ruby optional
ruby-git_1.13.1-1.debian.tar.xz
343a6156c6e1ad7e2503cdb9977b8429 9750 ruby optional
ruby-git_1.13.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmPQsk4ACgkQS80FZ8KW
0F1/Uw//brjYmthDws9ySofXS8hPXGSoXl+ETkuppHSiKovhs72dZ2FT21b64pfz
/zSw4ANOOMukfJOlU5KGvq+4qezptH2WJxie4KDOqGk8tx58cRfkY1lHyLOpbVm2
TbblqJN1aEBywzVC241HVlMBhMvC0BPxWJTBSXJHfjmXvgQ93yQMA8X/4QYI8iB9
iuQFGQhR8DRrp7vJaoLCJu6BAu52aApQRaE6UajsB6tmAAlod1gUtAYoj3aPIMyM
j+lf/5FiyB4lEm+e24TRHuDnJF7mFCk6/XqjJGaDWBM685NIGs1x3y3cm1B8OZnh
Y/c/Hj/kJyVSNBmPTieVYEVJTGVHh8bP/b92shQFLyQdDlY99tU/a/gWVpMZ8OLl
4P7/evI5uTIv6Gyll+O5paGDwOJ2n+FahT2BLlSa6ANQ8Z9YkeAydl1mmjig7MQ4
psN+kjbqt9t7EZgUecGngrCagOVLF5fCS/E3JHoIrLSWaq17C5zpjNh/9ErGLtvb
p/r+zvvIwnb9OsUJdJUNdCMH9QScnjSJ96N0eceIwPZKZTBp45aKVqRJN50+0A6G
43J8vomGZTzlTop8R/ooBrIvehUaP59Lu54Pa7GMpidoK575vmAbMEGn/xjDidTs
m6c6skk93752IzspifNcdnLTfwgITv7o5SSm7AtLavXxJdW/BPg=
=XKk1
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
