Your message dated Thu, 19 Nov 2015 19:56:24 +0000
with message-id <[email protected]>
and subject line Bug#787951: fixed in ruby-bson 1.10.0-1+deb8u1
has caused the Debian Bug report #787951,
regarding ruby-bson: CVE-2015-4410: DoS and possible injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
787951: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787951
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-bson
Version: 1.10.0-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for ruby-bson.
CVE-2015-4410[0]:
DoS and possible injection
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-4410
[1] http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
[2] http://www.openwall.com/lists/oss-security/2015/06/06/3
It can be checked e.g. via:
$ cat CVE-2015-4410.rb
require 'bson'
b=BSON::ObjectId
raise "DoS!" if b.legal? "a"*24+"\n"
raise "Injection!" if b.legal? "a"*24+"\na"
$ BSON_EXT_DISABLED=1 ruby CVE-2015-4410.rb
** Notice: The native BSON extension was not loaded. **
For optimal performance, use of the BSON extension is recommended.
To enable the extension make sure ENV['BSON_EXT_DISABLED'] is not set
and run the following command:
gem install bson_ext
If you continue to receive this message after installing, make sure that
the bson_ext gem is in your load path.
CVE-2015-4410.rb:3:in `<main>': DoS! (RuntimeError)
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-bson
Source-Version: 1.10.0-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
ruby-bson, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Prach Pongpanich <[email protected]> (supplier of updated ruby-bson package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Nov 2015 08:55:51 +0700
Source: ruby-bson
Binary: ruby-bson
Architecture: source all
Version: 1.10.0-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Prach Pongpanich <[email protected]>
Description:
ruby-bson - Ruby implementation of BSON
Closes: 787951
Changes:
ruby-bson (1.10.0-1+deb8u1) jessie; urgency=medium
.
* Fix CVE-2015-4410: DoS and possible injection (Closes: #787951)
Checksums-Sha1:
9be404d221f11586f4682d94eab11d0f45145ebd 2116 ruby-bson_1.10.0-1+deb8u1.dsc
74bc5c0983a2acfd449b0c5237aeeccfa5332780 5808
ruby-bson_1.10.0-1+deb8u1.debian.tar.xz
1da992e9c15b001455f3d24beafd7d8b377ebb1c 19120
ruby-bson_1.10.0-1+deb8u1_all.deb
Checksums-Sha256:
81188758e096bd789bda902ca9aa095260fe0382cd4a1d4dcb0c6f020a9adf70 2116
ruby-bson_1.10.0-1+deb8u1.dsc
d15f801c5885ca21718d9f58f382bc582c664f732f8d6a26afc2484a90cfac99 5808
ruby-bson_1.10.0-1+deb8u1.debian.tar.xz
dd496fedd22a733ad3708666a724f8a8595e08a0c53139dc3e4397e14fb3baf9 19120
ruby-bson_1.10.0-1+deb8u1_all.deb
Files:
80337bd3f74f104a7e726f0e513346dd 2116 ruby optional
ruby-bson_1.10.0-1+deb8u1.dsc
9450023eea7097a0ca87ea87526445b3 5808 ruby optional
ruby-bson_1.10.0-1+deb8u1.debian.tar.xz
a469aeae6f58a4a8b72aaf7a56332297 19120 ruby optional
ruby-bson_1.10.0-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWTIuYAAoJEDkJHoEjzhwJkS8QAJeUwZz6yP9KyZX97Cz8nf0F
zWD+F8MwryP6PDYcrPWIpvzkIbjzCKORAvkIGhLAbq5DcTum0wg9KKVa40wLJ6ms
+ocmzxW+uY64E0YZPPlwBO/gWwljBEcPabdHOdhpWkoE3SoQZSPRBgU8LFQLa5Yy
HReH6Vrgr1P2sNuBTsvmCHuwpbv7jhE930Eu/AfzqTXqklBfld+05QYr2ysSAVIU
UDwedu3cbdoJsteYX4uFv0BriLphWVDMAqkxmELmEF51bYP1bNRTxhFTFzc59GIi
XpBzETclluCMTsXLywcPdmVaVXwqBFMw+1S0SnBshYzXbTH0hfYz5IeO3i9AR1dz
3N0QlKkScdWYNuGKHTiEb7yYma49cFvT2yp4Z+iGUFggpB6Jn4O/Bzlh8SIUnyzV
EUsYQwjV+T+QsgQDlofTIybdxq7FLHh9GW5iJkwaSBw6+y7T3B/gimHIKo+6c7n5
IW9LH9LuQyqWs8NwtDVZ68ymWxqYSSdwP7ygeIwLrWnzMojTzTPfvEZvAmbL8bQv
KqAI708oJyngA/UYhayRiVGTo//w5qvjAkETOzw/MXKVObwIhqkTwr23he3ogbzW
jBATSnlQ1q7RmFOoYsHjdoYDT2vQAep+qt28A87Iu9fucesPGqjMEnky/J98290S
Ut1a5/JNbYIc+kvi667w
=rtJn
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
