Your message dated Sun, 15 Nov 2015 07:08:13 +0000
with message-id <[email protected]>
and subject line Bug#787951: fixed in ruby-bson 1.10.0-2
has caused the Debian Bug report #787951,
regarding ruby-bson: CVE-2015-4410: DoS and possible injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
787951: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787951
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-bson
Version: 1.10.0-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for ruby-bson.
CVE-2015-4410[0]:
DoS and possible injection
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-4410
[1] http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
[2] http://www.openwall.com/lists/oss-security/2015/06/06/3
It can be checked e.g. via:
$ cat CVE-2015-4410.rb
require 'bson'
b=BSON::ObjectId
raise "DoS!" if b.legal? "a"*24+"\n"
raise "Injection!" if b.legal? "a"*24+"\na"
$ BSON_EXT_DISABLED=1 ruby CVE-2015-4410.rb
** Notice: The native BSON extension was not loaded. **
For optimal performance, use of the BSON extension is recommended.
To enable the extension make sure ENV['BSON_EXT_DISABLED'] is not set
and run the following command:
gem install bson_ext
If you continue to receive this message after installing, make sure that
the bson_ext gem is in your load path.
CVE-2015-4410.rb:3:in `<main>': DoS! (RuntimeError)
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-bson
Source-Version: 1.10.0-2
We believe that the bug you reported is fixed in the latest version of
ruby-bson, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Prach Pongpanich <[email protected]> (supplier of updated ruby-bson package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 15 Nov 2015 12:15:48 +0700
Source: ruby-bson
Binary: ruby-bson
Architecture: source all
Version: 1.10.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Prach Pongpanich <[email protected]>
Description:
ruby-bson - Ruby implementation of BSON
Closes: 787951
Changes:
ruby-bson (1.10.0-2) unstable; urgency=medium
.
* Fix CVE-2015-4410: DoS and possible injection (Closes: #787951)
Checksums-Sha1:
0410e1ddeca962f523ea29912555bf513cfbfa69 2088 ruby-bson_1.10.0-2.dsc
1b328cb9409252a92bef19068b5e90e804c6d116 5740 ruby-bson_1.10.0-2.debian.tar.xz
930e62cc900daaf9dab1ff9fc96ee8623a63fba0 19042 ruby-bson_1.10.0-2_all.deb
Checksums-Sha256:
979c592fbe617cc6bf0220a107f825b7a653543157177d21eb41d3c9b92f2d88 2088
ruby-bson_1.10.0-2.dsc
70329b057f2829c54af6b76686a33f8fef9ae36c09a72835dfa46ce69231244c 5740
ruby-bson_1.10.0-2.debian.tar.xz
fcf3b762c004df94da2a2c757f6e9a6c4d922aa459b6b24a8aa2739f632599cf 19042
ruby-bson_1.10.0-2_all.deb
Files:
0eae913f6110c4d281d0908d7d2b11d2 2088 ruby optional ruby-bson_1.10.0-2.dsc
22892664d76e4176e7e6454c3eb81541 5740 ruby optional
ruby-bson_1.10.0-2.debian.tar.xz
a67cd62778dbc195ded5aed51b6eaef7 19042 ruby optional ruby-bson_1.10.0-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWSCuhAAoJEDkJHoEjzhwJVSQQANYfbUtJY5icFNufmU5z0Gvq
+mW11hF/SWwcozBBZK3TG5hKrBXwE6Nswv6ZO/e/Cljn4y20pJOy2vigKxsfsgVY
fvC84VFEXPOlZ6a52qYnrTYChddqESkd7x7z3fYedcB25aErLRxs1VA9a+hsNjmE
Bf4SB3915/o3J5ANm3ZZa+X9Ydj/Jhk18NuNNV9t2JbdpdFFzoBpZMek3yFjFSca
iQDl4rlpI0HMpgcqGRpIk6+wxVAOLTo/BxG9hQL2SAQXYKY049mhzj++wXRN1sDH
wOrCdjmihxBgxK4wuJJX+bUu6OH5iIiwd7P/fD9PFtM1VGyr6jLkvfyg+H0IeV6s
B/ZVKC0CqHdGPXEI+1WWjXz+mE9h3Q1XCffCfm0ZVLv0+V6yk/o3AasTcoHyxCqv
ACnBCz4GoJS4wVMYc/Php9fe+gtKoJYAmcib+5koRNN88ui6at+0WEtccZMzU3un
sYEuyaaXAGVl9O0F1q8C7kWPmcIqnk/3Tv8bFuj38A3HDY4in8r28QkUF2QFe8Nj
K9OOH+W0RTLQmTjWMJ6PNdXetn9eitEhw7+d7ihq6IyC04OiyzzWZtaqfUE3xEmI
xv3EEgMc2zVHdt3GC4ieLOPAjSw75v4wVIh4kqc8drqDbJLue5L8UrHIy5wnLpTr
FCAjs+PGpT6le7NYABCX
=b18i
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
