Bug#868572: marked as done (ruby-mixlib-archive: CVE-2017-1000026)
Your message dated Sat, 22 Jul 2017 21:18:09 + with message-idand subject line Bug#868572: fixed in ruby-mixlib-archive 0.2.0-1+deb9u1 has caused the Debian Bug report #868572, regarding ruby-mixlib-archive: CVE-2017-126 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 868572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868572 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ruby-mixlib-archive Version: 0.2.0-1 Severity: important Tags: upstream patch security fixed-upstream Forwarded: https://github.com/chef/mixlib-archive/pull/6 Hi, the following vulnerability was published for ruby-mixlib-archive. CVE-2017-126[0]: | Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable | to a directory traversal attack allowing attackers to overwrite | arbitrary files by using ".." in tar archive entries If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-126 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-126 [1] https://github.com/chef/mixlib-archive/pull/6 Regards, Salvatore --- End Message --- --- Begin Message --- Source: ruby-mixlib-archive Source-Version: 0.2.0-1+deb9u1 We believe that the bug you reported is fixed in the latest version of ruby-mixlib-archive, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 868...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Hleb Valoshka <375...@gmail.com> (supplier of updated ruby-mixlib-archive package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 17 Jul 2017 17:42:56 +0300 Source: ruby-mixlib-archive Binary: ruby-mixlib-archive Architecture: source all Version: 0.2.0-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Ruby Extras Maintainers Changed-By: Hleb Valoshka <375...@gmail.com> Description: ruby-mixlib-archive - simple interface to various archive formats Closes: 868572 Changes: ruby-mixlib-archive (0.2.0-1+deb9u1) stretch-security; urgency=high . * Prevent directory traversal attack CVE-2017-126 (Closes: #868572) Checksums-Sha1: 723b19124e5530c78621cda3fd97944bc833 2164 ruby-mixlib-archive_0.2.0-1+deb9u1.dsc 7c78dfae2fc9254f4a4358ace48795377e65f486 8207 ruby-mixlib-archive_0.2.0.orig.tar.gz 24934e375655bde8c10a496bc1863ec70c5b6a42 2604 ruby-mixlib-archive_0.2.0-1+deb9u1.debian.tar.xz 41eed2bedec8988ec23428cc3e949577d93bbf5e 4578 ruby-mixlib-archive_0.2.0-1+deb9u1_all.deb 721e7e02be1102a0ca055b77ce5d116275c8df1c 6881 ruby-mixlib-archive_0.2.0-1+deb9u1_amd64.buildinfo Checksums-Sha256: e5444ea0f13e51c2a95bcbe7221bce43ea5c710294b25cedcee844fc958d5cb1 2164 ruby-mixlib-archive_0.2.0-1+deb9u1.dsc f29b7c00bb698e2d18fb67b13bf12eb4ab12ede74e0470d4f368d31499602105 8207 ruby-mixlib-archive_0.2.0.orig.tar.gz ca5638a2a8d2fa9b3166ead0c8c77d1646186b6d90de2cc9100cff6aebc7f185 2604 ruby-mixlib-archive_0.2.0-1+deb9u1.debian.tar.xz ebe609d749812a243b8941b453bc875efb56cf4b245731149c4e98815f8307f8 4578 ruby-mixlib-archive_0.2.0-1+deb9u1_all.deb 5f75d6e63d384db7f91db69abc83479443fd3fe2ec3aeeb0489f08d36421a8a3 6881 ruby-mixlib-archive_0.2.0-1+deb9u1_amd64.buildinfo Files: 970012f0cb67efb746ef1997663d919f 2164 ruby optional ruby-mixlib-archive_0.2.0-1+deb9u1.dsc 7d13c5b0835c17b88595a9231b09a68d 8207 ruby optional ruby-mixlib-archive_0.2.0.orig.tar.gz b39ad56eda34de7b67a75dab3b6cde2c 2604 ruby optional ruby-mixlib-archive_0.2.0-1+deb9u1.debian.tar.xz c004f431c9a26a7bc99b0b01bd5b5f58 4578 ruby optional ruby-mixlib-archive_0.2.0-1+deb9u1_all.deb 63d9dfe11190e5428fa65a2fc4bfa141 6881 ruby optional ruby-mixlib-archive_0.2.0-1+deb9u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAllwqm8ACgkQ+COicpiD yXzExxAApdmQE7k4m0TWl81rH9q2wNBmdthMcQaP3Io19So4Af2QJMbIVdG/J0Sj kVRsCUcCMiJD/QOnCdx0T1xVgKJamqkLAs7NNgJuUNejMmfZHl0YIBdlikVo3Oi9
Bug#868572: marked as done (ruby-mixlib-archive: CVE-2017-1000026)
Your message dated Fri, 21 Jul 2017 12:21:27 + with message-idand subject line Bug#868572: fixed in ruby-mixlib-archive 0.4.1-1 has caused the Debian Bug report #868572, regarding ruby-mixlib-archive: CVE-2017-126 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 868572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868572 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ruby-mixlib-archive Version: 0.2.0-1 Severity: important Tags: upstream patch security fixed-upstream Forwarded: https://github.com/chef/mixlib-archive/pull/6 Hi, the following vulnerability was published for ruby-mixlib-archive. CVE-2017-126[0]: | Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable | to a directory traversal attack allowing attackers to overwrite | arbitrary files by using ".." in tar archive entries If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-126 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-126 [1] https://github.com/chef/mixlib-archive/pull/6 Regards, Salvatore --- End Message --- --- Begin Message --- Source: ruby-mixlib-archive Source-Version: 0.4.1-1 We believe that the bug you reported is fixed in the latest version of ruby-mixlib-archive, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 868...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Lucas Kanashiro (supplier of updated ruby-mixlib-archive package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 21 Jul 2017 07:57:55 -0300 Source: ruby-mixlib-archive Binary: ruby-mixlib-archive Architecture: source Version: 0.4.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers Changed-By: Lucas Kanashiro Description: ruby-mixlib-archive - simple interface to various archive formats Closes: 868572 Changes: ruby-mixlib-archive (0.4.1-1) unstable; urgency=medium . * Team upload. * New upstream version 0.4.1: fixes CVE-2017-126 (Closes: #868572) * Bump debhelper compatibility level to 10 * Declare compliance with Debian Policy 4.0.0 Checksums-Sha1: 26a021801559286b85cd98bf41b108021a0cd8a3 2136 ruby-mixlib-archive_0.4.1-1.dsc b7ee15f315f742f306bf5329b6f72324965a7e62 9258 ruby-mixlib-archive_0.4.1.orig.tar.gz 0616021ead77d0849af6e0c2d38cdaf444c62da1 2192 ruby-mixlib-archive_0.4.1-1.debian.tar.xz 08216f17399ee4dc0072471dd32f6713a3f693f5 6704 ruby-mixlib-archive_0.4.1-1_amd64.buildinfo Checksums-Sha256: df473b019c62a08ee572bf450214e578cfacf995bc71f7a0e938072e84583f59 2136 ruby-mixlib-archive_0.4.1-1.dsc de2259d8a81c26606e568470fe3fcf75b195877fbfdbad34d9ef1cd0c95d9c49 9258 ruby-mixlib-archive_0.4.1.orig.tar.gz 7b18f53ae79c1f6e475a2e19f4fcd4df7a56d9f903eee6acd3dfa0dd4aca44e5 2192 ruby-mixlib-archive_0.4.1-1.debian.tar.xz 26728617c923ea5c95eb935d0f5c200dcbd9f60be9138d0da780ad8d9d43d571 6704 ruby-mixlib-archive_0.4.1-1_amd64.buildinfo Files: f6d0362669aa8fda0a4aaa830026d465 2136 ruby optional ruby-mixlib-archive_0.4.1-1.dsc ed20531e8727486f451adaeb41ae61d9 9258 ruby optional ruby-mixlib-archive_0.4.1.orig.tar.gz f456dff969cf05f7f5fac4af354a748f 2192 ruby optional ruby-mixlib-archive_0.4.1-1.debian.tar.xz 092fa8daacec2fa4e0520e1be467785d 6704 ruby optional ruby-mixlib-archive_0.4.1-1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAllx6zQACgkQ+COicpiD yXy2bw/9HUQg3No8Cmp7CKrA07NIMJLeOProre6/4iljJbnHBrMjgwk0ugLOFr6y Xui3+JEn4J8GNfz/sH/zsCYg/ijomLyMjtlZVfXRzZwoSRBa0g69+z7ENfe7rxHz FJAsbccMe52ek4envJ/ASpZEkiH/eapN1OuTOzsTaPh2dHmaFuEUEQ/31gvt4xqd OYuXP3bmOCSJyMJudrzQvHE7sHdXvg/GExFJhrn1c02RbxYeFhbAilYbbilGIf89 b4IhXgrXbRThrleGKzFsiuiYy3wdU4rv43EXDYq+A66Cmxd+sMzdjb2rSokANs9h uG0MGryRgRjp8xNk/euecbm/N/0qhJau04MP5XZUbewcn3UKdloBp3+HUIF4u6mK