Your message dated Mon, 27 Jan 2025 17:53:37 +0000
with message-id <[email protected]>
and subject line Bug#1087290: fixed in ruby-sinatra 4.1.1-1
has caused the Debian Bug report #1087290,
regarding ruby-sinatra: CVE-2024-21510
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1087290: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087290
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-sinatra
Version: 3.2.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-sinatra.
CVE-2024-21510[0]:
| Versions of the package sinatra from 0.0.0 are vulnerable to
| Reliance on Untrusted Inputs in a Security Decision via the
| X-Forwarded-Host (XFH) header. When making a request to a method
| with redirect applied, it is possible to trigger an Open Redirect
| Attack by inserting an arbitrary address into this header. If used
| for caching purposes, such as with servers like Nginx, or as a
| reverse proxy, without handling the X-Forwarded-Host header,
| attackers can potentially exploit Cache Poisoning or Routing-based
| SSRF.
As of filling this bugreport, please be awaere that a complete fix in
yet unavailable, cf. as well
https://bugzilla.suse.com/show_bug.cgi?id=1232746 . Can you maybe
please approach upstream to query the current status?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21510
https://www.cve.org/CVERecord?id=CVE-2024-21510
[1] https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832
[2] https://github.com/sinatra/sinatra/pull/2010
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-sinatra
Source-Version: 4.1.1-1
Done: Pirate Praveen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-sinatra, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <[email protected]> (supplier of updated ruby-sinatra package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 27 Jan 2025 18:13:14 +0100
Source: ruby-sinatra
Architecture: source
Version: 4.1.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Pirate Praveen <[email protected]>
Closes: 1087290
Changes:
ruby-sinatra (4.1.1-1) experimental; urgency=medium
.
* New upstream version 4.1.1 (Closes: #1087290) (Fixes: CVE-2024-21510)
* Bump Standards-Version to 4.7.0 (no changes needed)
* Update build dependencies (drop rainbows, thin)
* Ignore ruby3.1 test failures (ruby 3.1 has only logger 1.5 but sinatra
need 1.6)
* Remove X?-Ruby-Versions fields from d/control
Checksums-Sha1:
6c0ae15935bae45fabf433e17d2632b60c8842f7 2991 ruby-sinatra_4.1.1-1.dsc
875083b0f434563f021d9657b2ab29c4d1547db5 271795 ruby-sinatra_4.1.1.orig.tar.gz
74c8ed3dd34087471af45ae2b81b5a8df93333b6 7504
ruby-sinatra_4.1.1-1.debian.tar.xz
6f741bd1870bd4b8e36ebfcd7f115d8aee8431af 11669
ruby-sinatra_4.1.1-1_amd64.buildinfo
Checksums-Sha256:
f0a3aacb158cc9f8261e27a8ba5d74d89c9ad24344966c258d5970e11d477897 2991
ruby-sinatra_4.1.1-1.dsc
c05c582bfed0757e961a6ceee8cc5586896af396afc2dd5e65fbbff1a06a9918 271795
ruby-sinatra_4.1.1.orig.tar.gz
333a7dc12ff77dc23b11bbfc08feacaf40e386e03ed304abe7d7f54951966a4c 7504
ruby-sinatra_4.1.1-1.debian.tar.xz
6d3b1000fe870f52fa78ee9fb7b510f1512a7b20184f3bedeecbcd81f8267df9 11669
ruby-sinatra_4.1.1-1_amd64.buildinfo
Files:
39af790b16efa3332e5546c221767c5a 2991 ruby optional ruby-sinatra_4.1.1-1.dsc
311d669098a31cbd97ca43d762946213 271795 ruby optional
ruby-sinatra_4.1.1.orig.tar.gz
d491eba56f6e519dabe712acb0f567f8 7504 ruby optional
ruby-sinatra_4.1.1-1.debian.tar.xz
e662a03de68b23ed9b68d939f1018291 11669 ruby optional
ruby-sinatra_4.1.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAmeXw88ACgkQj1PgGTsp
S3W8AA/9Eiyb6T0kQGjMnZuioPj1NhWzNx73Yq3pq3y+4/+pfCLPrHB+z1Ccl/Nf
DyrNA7tmou/JTYISoqB3hp4kwQzA3M1kxlb2EuprWZZDgz3fRShTogLavzO+ubuM
BcPa5dasU2dOIZmuUVP4FE99Q+KKuA/N9ASpbLPDg9xtedmUfW1gfjMnIQDEPYVP
b5nQvcCy7vaQFhgB7yI3C8Ja+q8HWSXBSxqcO561ziS6KYscaEYEWjH/q4G2kLNO
2ww28KjXCDHm3YhWyflljLz6q9GROoO6YIq0cDBCiDK0H5p8v0R/c1IhHokRvdr3
LUq0vacvF8x+gpF88IQx0SEOXT9omCimp/a0V9ReSA9cRyPA0naYdW3r2WfX9OEl
gx+y12RNqzja5RDX2a42tSAw8wkfMJ1N5ecW7QYVtCFGrsKZwgLE8aV+kiqAvQrw
u1w0BQUi2Dwk6GOM4h+nepEa4Hh3MLmedU/QGQOFodX3dftnV/eaMW6MqnMAsz7j
M4+x0bA/v0ocsgS6AS+VEGTbuV05dW6k1Azxhth5NJT6QODY5FVGBpsQITGVIwjd
2bQsbla8dYdgHZ3jOI1BEIbOmkSsnvaBKLIAFgCNHdPeiJPfnhfWGJ5OAkl6ibhP
2m9o6yd+bZ5up5Vn57xAW5y8A128myn0kDykocnPSgC0IUJjgKw=
=QJUy
-----END PGP SIGNATURE-----
pgpmPYvXKD9FU.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
