Your message dated Sat, 10 Feb 2018 21:09:38 +0000
with message-id <[email protected]>
and subject line Bug#888523: fixed in ruby-omniauth 1.2.1-1+deb8u1
has caused the Debian Bug report #888523,
regarding ruby-omniauth: CVE-2017-18076: security issue in returning post
parameters from session in callback phase
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
888523: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888523
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-omniauth
Version: 1.2.1-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://github.com/omniauth/omniauth/pull/867
Control: fixed -1 1.6.1-1
For tracking this security issue in ruby-omniauth:
> Request phase of omniauth store request.params in session which are
> later assigned in env of callback phase. According do docs we should
> only store query params but in this case both GET and POST params get
> stored. POST params can contain authenticity_token of application to
> protect form CSRF issues. We shouldn't leak such tokens from POST
> params.
https://github.com/omniauth/omniauth/pull/867
[A CVE has been requested]
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-omniauth
Source-Version: 1.2.1-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
ruby-omniauth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <[email protected]> (supplier of updated ruby-omniauth package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 31 Jan 2018 15:25:20 +0530
Source: ruby-omniauth
Binary: ruby-omniauth
Architecture: source all
Version: 1.2.1-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Pirate Praveen <[email protected]>
Description:
ruby-omniauth - flexible authentication system utilizing Rack middleware
Closes: 888523
Changes:
ruby-omniauth (1.2.1-1+deb8u1) jessie-security; urgency=high
.
* Fix security issue in returning post parameters from session in callback
phase (CVE-2017-18076) (Closes: #888523)
Checksums-Sha1:
48049ead9b160e0d05e867770490b6259e21afa8 2160 ruby-omniauth_1.2.1-1+deb8u1.dsc
03b73ae540baa254248631c48d345c4e84f06dfb 28163 ruby-omniauth_1.2.1.orig.tar.gz
3989b47011132569d598e08d273d2eaa7b8d1366 3580
ruby-omniauth_1.2.1-1+deb8u1.debian.tar.xz
99c27ab4694fc336a0776c8095d86c90798ae138 17310
ruby-omniauth_1.2.1-1+deb8u1_all.deb
Checksums-Sha256:
6b7cadcc597f1639541a709c1c83e5a62966103facf26c18ec77bae71d399c64 2160
ruby-omniauth_1.2.1-1+deb8u1.dsc
f9dbc9ebee63e87712e9c91515bbe088d14506fc3a271a89b4ddb2d94001ba65 28163
ruby-omniauth_1.2.1.orig.tar.gz
5e24b3274fec281d2aa96d0680a4fa8158aa1518903aa4c8538e44bef1743c94 3580
ruby-omniauth_1.2.1-1+deb8u1.debian.tar.xz
ca8388806482a379322d628e581913a7984d12824f54f1502bad87d95196fc50 17310
ruby-omniauth_1.2.1-1+deb8u1_all.deb
Files:
eb33d277f49d035b36831f19afeddd14 2160 ruby optional
ruby-omniauth_1.2.1-1+deb8u1.dsc
70141fc1b83026c33df6d5711ea29dd3 28163 ruby optional
ruby-omniauth_1.2.1.orig.tar.gz
5c57420534adb6b2392d87010a2d7253 3580 ruby optional
ruby-omniauth_1.2.1-1+deb8u1.debian.tar.xz
8a7d2593ef1947574b5afe59939f9df0 17310 ruby optional
ruby-omniauth_1.2.1-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlp9C4AACgkQbsLe9o/+
N3Qsgw//SCu+k11JWJSvrfbF7jLxybtqSI1DwnqEYalM3T8CNzfW8X2PTBE9BIYs
ypN94i4vhWSiMvh8RylxhhsCtj2iqxb5CS0sRKaqF3X/5M+RRDvc+9RjOQN6K28M
96vZQHLESTKJxdPz0KQ2yz3v3enzfc4wTcg1s7mctKDVw9FWcHTZZFZoUyEZTuQ6
0nA7AjDQU/vRsfIU4V7I+kTeTGviP82gt2A3XLMc+dsLn+iq9RGgVMLh0HEyZ5eb
9v8Xpzi2nu2cvNBT3oX3P/4mmUdQjmmlP2meoGdRPIcQODYE+YHNrE/Wkk+rd22G
OpLRhTs1JFhABq/lKmx0InWr+aC25rJSsRBEjcQ7FxCI79YKyabhS9+Om2WbOzod
rCKBjYl5tZ4ri9wE6x9eOxlg+1nNt0Xp3WND2nA1KDVvwoY2cCmtEOOR9aFaGnIJ
zj6VOythudiHmqKMIUyv5rujT+4dzmQyla/0XyMhxzQKTODu4PAvqVYth/7wS9lt
4KpEAVzYbn6jqb5JXNSbLhzYnEPFr+t8WNQYN5vtQMCZNfX0AQtPSilOX7vSheNb
avk13AkpZX29YDMimqXeeXxMWIlg0xpOjv5jMkceANzq1U1ip2MZlM+pZVffYCfm
M0vVzI9nzm96A7KRYMA2Zp7dHfBs5wBGPEoyGMHX5QPeB0ZOuiA=
=FpwO
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
