Bug#868572: marked as done (ruby-mixlib-archive: CVE-2017-1000026)

2017-07-22 Thread Debian Bug Tracking System 
Your message dated Sat, 22 Jul 2017 21:18:09 +
with message-id 
and subject line Bug#868572: fixed in ruby-mixlib-archive 0.2.0-1+deb9u1
has caused the Debian Bug report #868572,
regarding ruby-mixlib-archive: CVE-2017-126
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
868572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868572
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-mixlib-archive
Version: 0.2.0-1
Severity: important
Tags: upstream patch security fixed-upstream
Forwarded: https://github.com/chef/mixlib-archive/pull/6

Hi,

the following vulnerability was published for ruby-mixlib-archive.

CVE-2017-126[0]:
| Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable
| to a directory traversal attack allowing attackers to overwrite
| arbitrary files by using ".." in tar archive entries

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-126
[1] https://github.com/chef/mixlib-archive/pull/6

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-mixlib-archive
Source-Version: 0.2.0-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
ruby-mixlib-archive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hleb Valoshka <375...@gmail.com> (supplier of updated ruby-mixlib-archive 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 17 Jul 2017 17:42:56 +0300
Source: ruby-mixlib-archive
Binary: ruby-mixlib-archive
Architecture: source all
Version: 0.2.0-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers 

Changed-By: Hleb Valoshka <375...@gmail.com>
Description:
 ruby-mixlib-archive - simple interface to various archive formats
Closes: 868572
Changes:
 ruby-mixlib-archive (0.2.0-1+deb9u1) stretch-security; urgency=high
 .
   * Prevent directory traversal attack CVE-2017-126 (Closes: #868572)
Checksums-Sha1:
 723b19124e5530c78621cda3fd97944bc833 2164 
ruby-mixlib-archive_0.2.0-1+deb9u1.dsc
 7c78dfae2fc9254f4a4358ace48795377e65f486 8207 
ruby-mixlib-archive_0.2.0.orig.tar.gz
 24934e375655bde8c10a496bc1863ec70c5b6a42 2604 
ruby-mixlib-archive_0.2.0-1+deb9u1.debian.tar.xz
 41eed2bedec8988ec23428cc3e949577d93bbf5e 4578 
ruby-mixlib-archive_0.2.0-1+deb9u1_all.deb
 721e7e02be1102a0ca055b77ce5d116275c8df1c 6881 
ruby-mixlib-archive_0.2.0-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
 e5444ea0f13e51c2a95bcbe7221bce43ea5c710294b25cedcee844fc958d5cb1 2164 
ruby-mixlib-archive_0.2.0-1+deb9u1.dsc
 f29b7c00bb698e2d18fb67b13bf12eb4ab12ede74e0470d4f368d31499602105 8207 
ruby-mixlib-archive_0.2.0.orig.tar.gz
 ca5638a2a8d2fa9b3166ead0c8c77d1646186b6d90de2cc9100cff6aebc7f185 2604 
ruby-mixlib-archive_0.2.0-1+deb9u1.debian.tar.xz
 ebe609d749812a243b8941b453bc875efb56cf4b245731149c4e98815f8307f8 4578 
ruby-mixlib-archive_0.2.0-1+deb9u1_all.deb
 5f75d6e63d384db7f91db69abc83479443fd3fe2ec3aeeb0489f08d36421a8a3 6881 
ruby-mixlib-archive_0.2.0-1+deb9u1_amd64.buildinfo
Files:
 970012f0cb67efb746ef1997663d919f 2164 ruby optional 
ruby-mixlib-archive_0.2.0-1+deb9u1.dsc
 7d13c5b0835c17b88595a9231b09a68d 8207 ruby optional 
ruby-mixlib-archive_0.2.0.orig.tar.gz
 b39ad56eda34de7b67a75dab3b6cde2c 2604 ruby optional 
ruby-mixlib-archive_0.2.0-1+deb9u1.debian.tar.xz
 c004f431c9a26a7bc99b0b01bd5b5f58 4578 ruby optional 
ruby-mixlib-archive_0.2.0-1+deb9u1_all.deb
 63d9dfe11190e5428fa65a2fc4bfa141 6881 ruby optional 
ruby-mixlib-archive_0.2.0-1+deb9u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAllwqm8ACgkQ+COicpiD
yXzExxAApdmQE7k4m0TWl81rH9q2wNBmdthMcQaP3Io19So4Af2QJMbIVdG/J0Sj
kVRsCUcCMiJD/QOnCdx0T1xVgKJamqkLAs7NNgJuUNejMmfZHl0YIBdlikVo3Oi9

Bug#868572: marked as done (ruby-mixlib-archive: CVE-2017-1000026)

2017-07-21 Thread Debian Bug Tracking System 
Your message dated Fri, 21 Jul 2017 12:21:27 +
with message-id 
and subject line Bug#868572: fixed in ruby-mixlib-archive 0.4.1-1
has caused the Debian Bug report #868572,
regarding ruby-mixlib-archive: CVE-2017-126
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
868572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868572
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-mixlib-archive
Version: 0.2.0-1
Severity: important
Tags: upstream patch security fixed-upstream
Forwarded: https://github.com/chef/mixlib-archive/pull/6

Hi,

the following vulnerability was published for ruby-mixlib-archive.

CVE-2017-126[0]:
| Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable
| to a directory traversal attack allowing attackers to overwrite
| arbitrary files by using ".." in tar archive entries

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-126
[1] https://github.com/chef/mixlib-archive/pull/6

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-mixlib-archive
Source-Version: 0.4.1-1

We believe that the bug you reported is fixed in the latest version of
ruby-mixlib-archive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lucas Kanashiro  (supplier of updated ruby-mixlib-archive 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 21 Jul 2017 07:57:55 -0300
Source: ruby-mixlib-archive
Binary: ruby-mixlib-archive
Architecture: source
Version: 0.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 

Changed-By: Lucas Kanashiro 
Description:
 ruby-mixlib-archive - simple interface to various archive formats
Closes: 868572
Changes:
 ruby-mixlib-archive (0.4.1-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 0.4.1: fixes CVE-2017-126 (Closes: #868572)
   * Bump debhelper compatibility level to 10
   * Declare compliance with Debian Policy 4.0.0
Checksums-Sha1:
 26a021801559286b85cd98bf41b108021a0cd8a3 2136 ruby-mixlib-archive_0.4.1-1.dsc
 b7ee15f315f742f306bf5329b6f72324965a7e62 9258 
ruby-mixlib-archive_0.4.1.orig.tar.gz
 0616021ead77d0849af6e0c2d38cdaf444c62da1 2192 
ruby-mixlib-archive_0.4.1-1.debian.tar.xz
 08216f17399ee4dc0072471dd32f6713a3f693f5 6704 
ruby-mixlib-archive_0.4.1-1_amd64.buildinfo
Checksums-Sha256:
 df473b019c62a08ee572bf450214e578cfacf995bc71f7a0e938072e84583f59 2136 
ruby-mixlib-archive_0.4.1-1.dsc
 de2259d8a81c26606e568470fe3fcf75b195877fbfdbad34d9ef1cd0c95d9c49 9258 
ruby-mixlib-archive_0.4.1.orig.tar.gz
 7b18f53ae79c1f6e475a2e19f4fcd4df7a56d9f903eee6acd3dfa0dd4aca44e5 2192 
ruby-mixlib-archive_0.4.1-1.debian.tar.xz
 26728617c923ea5c95eb935d0f5c200dcbd9f60be9138d0da780ad8d9d43d571 6704 
ruby-mixlib-archive_0.4.1-1_amd64.buildinfo
Files:
 f6d0362669aa8fda0a4aaa830026d465 2136 ruby optional 
ruby-mixlib-archive_0.4.1-1.dsc
 ed20531e8727486f451adaeb41ae61d9 9258 ruby optional 
ruby-mixlib-archive_0.4.1.orig.tar.gz
 f456dff969cf05f7f5fac4af354a748f 2192 ruby optional 
ruby-mixlib-archive_0.4.1-1.debian.tar.xz
 092fa8daacec2fa4e0520e1be467785d 6704 ruby optional 
ruby-mixlib-archive_0.4.1-1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAllx6zQACgkQ+COicpiD
yXy2bw/9HUQg3No8Cmp7CKrA07NIMJLeOProre6/4iljJbnHBrMjgwk0ugLOFr6y
Xui3+JEn4J8GNfz/sH/zsCYg/ijomLyMjtlZVfXRzZwoSRBa0g69+z7ENfe7rxHz
FJAsbccMe52ek4envJ/ASpZEkiH/eapN1OuTOzsTaPh2dHmaFuEUEQ/31gvt4xqd
OYuXP3bmOCSJyMJudrzQvHE7sHdXvg/GExFJhrn1c02RbxYeFhbAilYbbilGIf89
b4IhXgrXbRThrleGKzFsiuiYy3wdU4rv43EXDYq+A66Cmxd+sMzdjb2rSokANs9h
uG0MGryRgRjp8xNk/euecbm/N/0qhJau04MP5XZUbewcn3UKdloBp3+HUIF4u6mK