Your message dated Wed, 08 Nov 2017 13:52:37 +0000 with message-id <e1ecqmt-000hhx...@fasolo.debian.org> and subject line Bug#880691: fixed in ruby-yajl 1.2.0-3.1 has caused the Debian Bug report #880691, regarding ruby-yajl: CVE-2017-16516 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 880691: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880691 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-yajl Version: 1.2.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/brianmario/yajl-ruby/issues/176 Hi, the following vulnerability was published for ruby-yajl. CVE-2017-16516[0]: | In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is | supplied to Yajl::Parser.new.parse, the whole ruby process crashes with | a SIGABRT in the yajl_string_decode function in yajl_encode.c. This | results in the whole ruby process terminating and potentially a denial | of service. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16516 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16516 [1] https://github.com/brianmario/yajl-ruby/issues/176 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-yajl Source-Version: 1.2.0-3.1 We believe that the bug you reported is fixed in the latest version of ruby-yajl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 880...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated ruby-yajl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 08 Nov 2017 07:31:37 +0100 Source: ruby-yajl Binary: ruby-yajl Architecture: source Version: 1.2.0-3.1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 880691 Description: ruby-yajl - Ruby interface to Yajl, a JSON stream-based parser library Changes: ruby-yajl (1.2.0-3.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2017-16516: Crafted JSON file allows to crash ruby process with a SIGABRT in the yajl_string_decode function (Closes: #880691) Checksums-Sha1: 7aba26f825c8ad16728d4b79f72b3cc0885c4e31 2316 ruby-yajl_1.2.0-3.1.dsc 4c3154e35aa82e0143194047d83190f79167f35c 6048 ruby-yajl_1.2.0-3.1.debian.tar.xz 2339a8cdb8ad028a3bae8db1a56d7c54ed1fd0cb 5920 ruby-yajl_1.2.0-3.1_source.buildinfo Checksums-Sha256: 1b7deee6177ebdccdf8fe6c4d075be44dc9679ca0f43851acece9b6940811d29 2316 ruby-yajl_1.2.0-3.1.dsc e47d1bca00facfb09e214d803bde385357ca1b46712b44b98a30cf329e4877f3 6048 ruby-yajl_1.2.0-3.1.debian.tar.xz c62ba380bd3a786266893c0032d4a7c198f524b8d94e6740116f519e116ff9cf 5920 ruby-yajl_1.2.0-3.1_source.buildinfo Files: b77ddbe13a375c5eebbb207628e63ed7 2316 ruby optional ruby-yajl_1.2.0-3.1.dsc f41ded7b1f374fce0227e8f5dad05c70 6048 ruby optional ruby-yajl_1.2.0-3.1.debian.tar.xz 1130f4551e43a73c19a1c1a1f2f9499e 5920 ruby optional ruby-yajl_1.2.0-3.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAloCpxpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbVgP/RZ5jpDvRhPBULOS41ftzIgRXrRahPfl LXCUFU4UALgk7GxsiCgv7hzaWTl6C2R5KSW0WpTps0+wF/rLuJR4a1ww/+A4ZMD+ xXORW2pn5v6eQ4K0e/J2CVIndm/cuBNlgoUoqL+ehUKKmclL6e+Wf4evYQdCxhxA xS5wSbRS+KVeY9EsqBk+/iU3dbmqKGc6Sd4Ufqoj2fxeY9ECPMmn2v1pNV/Oj8YZ azrlo4pAI/IcVnrksPDqGyXg+2LPt2oBJsNDMjrZ0/O+gz6mAh561vRoVRxXewNa sh/P717SRKp3UxfGAEGjh30SPX1M9bQ3cfXaJ2qXufDsjNt/wWd9g8oIAvMP5SAF zbpVWR6l4Ufa/DEuQDSNhGYjNVxbRbZIqGwuYA2nXz6/9Y05oaV9ui1rwU4puBD4 BHDS4V6KG7w7fo9pcDPHB9iwehWMuCZ/Idx5xuE9qbXzqes2GuJ9JnwJYD7yzwNn gNC3UWUJU/QbUxHaUedTawhvFamPTmtj0Ai82kHXQEVZZ0qN3wCQo+N2WAIpWM8j C2GPk1S6yGJERsgKmiv0Sqw3PpbU9fYE243yF8boyf+7jhkkUo3yVkliKDhUYcVP 2gJVYjbfUjjSUxJcacdtdgr/4JPik64tg/AdBrauu82L5RstjiDaBio7GnFFJHLH FWj4kIE/dPzc =bqYs -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
