Bug#881445: marked as done (ruby-ox: CVE-2017-15928: Segmentation fault in the parse_obj)

2017-12-02 Thread Debian Bug Tracking System 
Your message dated Sat, 02 Dec 2017 19:32:57 +
with message-id 
and subject line Bug#881445: fixed in ruby-ox 2.1.1-2+deb8u1
has caused the Debian Bug report #881445,
regarding ruby-ox: CVE-2017-15928: Segmentation fault in the parse_obj
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
881445: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-ox
Version: 2.1.1-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/ohler55/ox/issues/194

Hi,

the following vulnerability was published for ruby-ox.

Rationale for RC severity: think the issue warrants to be adressed for
the next stable release. The issue itself possibly though does not
warrant a DSA on it's own for stretch and jessie.

CVE-2017-15928[0]:
| In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation
| fault when a crafted input is supplied to parse_obj. NOTE: the vendor
| has stated "Ox should handle the error more gracefully" but has not
| confirmed a security implication.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15928
[1] https://github.com/ohler55/ox/issues/194
[2] 
https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-ox
Source-Version: 2.1.1-2+deb8u1

We believe that the bug you reported is fixed in the latest version of
ruby-ox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 881...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cédric Boutillier  (supplier of updated ruby-ox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 26 Nov 2017 01:08:40 +0100
Source: ruby-ox
Binary: ruby-ox
Architecture: source amd64
Version: 2.1.1-2+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 

Changed-By: Cédric Boutillier 
Description:
 ruby-ox- fast XML parser and object serializer
Closes: 881445
Changes:
 ruby-ox (2.1.1-2+deb8u1) jessie; urgency=medium
 .
   * Team upload
   * Add fix_parse_obj_segfault.patch picked from upstream
 + fix CVE-2017-15928: segmentation fault in parse_obj
 (Closes: #881445)
Checksums-Sha1:
 689ff33eb1f5485774eefdbf9930a93df132fb16 1659 ruby-ox_2.1.1-2+deb8u1.dsc
 4082055278bcf1a2fa4b8bde816f52c8e2c077e9 3736 
ruby-ox_2.1.1-2+deb8u1.debian.tar.xz
 188d0b58c38cc422ab890c50bd86d00f7fd05f30 59778 ruby-ox_2.1.1-2+deb8u1_amd64.deb
Checksums-Sha256:
 45f23871fa7988540e4c3effa94c8f077d0bb7b37399080cbb1fc13c13b6f944 1659 
ruby-ox_2.1.1-2+deb8u1.dsc
 bdf3afbd10f5108d445baf98650b72a1e8c3f88fe0c700d2f7f8ddcc6aef69e7 3736 
ruby-ox_2.1.1-2+deb8u1.debian.tar.xz
 c7b565af9aa68d02523d1b1b20da198f28d7174b1ed8e9dcad677aae6f68d61c 59778 
ruby-ox_2.1.1-2+deb8u1_amd64.deb
Files:
 50074fae854a1fdb952f9eeb2077b589 1659 ruby optional ruby-ox_2.1.1-2+deb8u1.dsc
 1a1318bea53c33253424ba983755d0ed 3736 ruby optional 
ruby-ox_2.1.1-2+deb8u1.debian.tar.xz
 fc54a094ed257f05a2f33aafefbed9d1 59778 ruby optional 
ruby-ox_2.1.1-2+deb8u1_amd64.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEnM1rMZ2/jkCrGr0aia+CtznNIXoFAlobSL0ACgkQia+CtznN
IXrP+Qf/au3X2EtwJGj1euVjOqUWkdUbEvjYQsBpU0IKx/S4ONekqeAVHaVtaxUF
PebG3/ymfQ6zRpRqP5fMYFej0qR0EVi74+quQ5GWQO2lCTlVWrZcIv4LNkg5DPIM
DB7nCwrGSLfrm/hSPIdzZb3vX4wDNfTQ/ZaA1V4+xVL2iixNXqasA6LF8PQfFUfj
BI7AcwtixqWpj8UmyZY//jZwFvEEOKTsPvpG4yUQt/G8HDeya97OgDAKGpuQW104
vsy27q50IBP7+QO6A6lKZJY/DKQWL8iR+2bWJHeCeRmJS5fxnoIlJsKzJjrsJ96g
MQS08yQmDfUcX4G6GCb1pt+D+ZPYtQ==
=eqyS
-END PGP SIGNATURE End Message ---

Bug#881445: marked as done (ruby-ox: CVE-2017-15928: Segmentation fault in the parse_obj)

2017-11-29 Thread Debian Bug Tracking System 
Your message dated Wed, 29 Nov 2017 09:02:46 +
with message-id 
and subject line Bug#881445: fixed in ruby-ox 2.1.1-2+deb9u1
has caused the Debian Bug report #881445,
regarding ruby-ox: CVE-2017-15928: Segmentation fault in the parse_obj
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
881445: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-ox
Version: 2.1.1-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/ohler55/ox/issues/194

Hi,

the following vulnerability was published for ruby-ox.

Rationale for RC severity: think the issue warrants to be adressed for
the next stable release. The issue itself possibly though does not
warrant a DSA on it's own for stretch and jessie.

CVE-2017-15928[0]:
| In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation
| fault when a crafted input is supplied to parse_obj. NOTE: the vendor
| has stated "Ox should handle the error more gracefully" but has not
| confirmed a security implication.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15928
[1] https://github.com/ohler55/ox/issues/194
[2] 
https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-ox
Source-Version: 2.1.1-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
ruby-ox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 881...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cédric Boutillier  (supplier of updated ruby-ox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 26 Nov 2017 01:08:40 +0100
Source: ruby-ox
Binary: ruby-ox
Architecture: source
Version: 2.1.1-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 

Changed-By: Cédric Boutillier 
Description:
 ruby-ox- fast XML parser and object serializer
Closes: 881445
Changes:
 ruby-ox (2.1.1-2+deb9u1) stretch; urgency=medium
 .
   * Team upload
   * Add fix_parse_obj_segfault.patch picked from upstream
 + fix CVE-2017-15928: segmentation fault in parse_obj
 (Closes: #881445)
Checksums-Sha1:
 ce1354c48a93f2d0c2e40212e901f249c9ec65db 1659 ruby-ox_2.1.1-2+deb9u1.dsc
 64352a5bb4aff2ffde864a064b59c1277b1a0f6d 3760 
ruby-ox_2.1.1-2+deb9u1.debian.tar.xz
Checksums-Sha256:
 65b13cbf0bb840743af9c7707e856fa0bf56d54175081b571f88d08751c16bbb 1659 
ruby-ox_2.1.1-2+deb9u1.dsc
 4be6f4b56616d7b386ba6e722960cc44f8bef7d98c87a27598e9cc3ab50730a4 3760 
ruby-ox_2.1.1-2+deb9u1.debian.tar.xz
Files:
 3f05e3f0b6b916a3b5cae62b9c39ef46 1659 ruby optional ruby-ox_2.1.1-2+deb9u1.dsc
 f4d7c39e084b5a1d6278bbf0a5506397 3760 ruby optional 
ruby-ox_2.1.1-2+deb9u1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEnM1rMZ2/jkCrGr0aia+CtznNIXoFAlobOKoACgkQia+CtznN
IXpAHggApMd2uQPCEii5VJgD1aL18ElgnCeZmcJhm+8yPwO7V2ROhwLeRQhNQpyC
YRzuNqG6PbwN6kBgB1ebze+RvcPPYyb/BYsctxBjMf58x0op8Zv9Pgk4yUMjokjC
pf4UU+UZqHaFrufwaMo39q96iyhZUT9B4YbHZGlKygICWbOeTZG5je4xvhTE7Pqa
/5BVN6UtwLkrdLawfHGcQ7Q0cEz9U2u372hjEyfmEsPhwU3FHx0MOu1GYoZpOfef
dfnqQjxYWbxtPzGIC5c9bNnvbVMPyI+2Y6f0hKYrVSbCxYJ4/Kkh1Uqyw2brr3o1
o225EyN9hg4EpXYi3/81ivo1cOlZJw==
=wZWi
-END PGP SIGNATURE End Message ---

Bug#881445: marked as done (ruby-ox: CVE-2017-15928: Segmentation fault in the parse_obj)

2017-11-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Nov 2017 15:06:17 +
with message-id 
and subject line Bug#881445: fixed in ruby-ox 2.8.2-1
has caused the Debian Bug report #881445,
regarding ruby-ox: CVE-2017-15928: Segmentation fault in the parse_obj
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
881445: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-ox
Version: 2.1.1-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/ohler55/ox/issues/194

Hi,

the following vulnerability was published for ruby-ox.

Rationale for RC severity: think the issue warrants to be adressed for
the next stable release. The issue itself possibly though does not
warrant a DSA on it's own for stretch and jessie.

CVE-2017-15928[0]:
| In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation
| fault when a crafted input is supplied to parse_obj. NOTE: the vendor
| has stated "Ox should handle the error more gracefully" but has not
| confirmed a security implication.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15928
[1] https://github.com/ohler55/ox/issues/194
[2] 
https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-ox
Source-Version: 2.8.2-1

We believe that the bug you reported is fixed in the latest version of
ruby-ox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 881...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cédric Boutillier  (supplier of updated ruby-ox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 18 Nov 2017 15:04:44 +0100
Source: ruby-ox
Binary: ruby-ox
Architecture: source
Version: 2.8.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 

Changed-By: Cédric Boutillier 
Description:
 ruby-ox- fast XML parser and object serializer
Closes: 881445
Changes:
 ruby-ox (2.8.2-1) unstable; urgency=medium
 .
   * New upstream version 2.8.2
 + fix CVE-2017-15928: segmentation fault in parse_obj
   (Closes: #881445)
   * Remove version in the gem2deb build-dependency
   * Use https:// in Vcs-* fields
   * Run wrap-and-sort on packaging files
   * Bump Standards-Version to 4.1.1 (no changes needed)
   * Bump debhelper compatibility level to 10
   * Refresh 000-fix-so-load-path.patch
Checksums-Sha1:
 4ad78c2a88cbe629c7ca068fb0b176722ab1cc68 1607 ruby-ox_2.8.2-1.dsc
 3bcb0ee7fd0d7e18c4fe67ec6296a42b3c0e0ca9 79209 ruby-ox_2.8.2.orig.tar.gz
 904b96d86ab63d8052a8603b4a2855b08e2dc9e0 3188 ruby-ox_2.8.2-1.debian.tar.xz
 3f62f2ed914c0a17f790a41a8da5e7796ccff36e 6137 ruby-ox_2.8.2-1_source.buildinfo
Checksums-Sha256:
 d55dcafa972fee1ba6e9b78bb580640151588420f718a5cdf8782f2704ce18f6 1607 
ruby-ox_2.8.2-1.dsc
 0d0bbc69677a204fbe295c3443ddb0fa893e3647b26794c3ca5d5d87ae21f6f4 79209 
ruby-ox_2.8.2.orig.tar.gz
 66ee937680c908e36bb3011db5a110b6cc5b000d5c2bd6555824e489303a838b 3188 
ruby-ox_2.8.2-1.debian.tar.xz
 76f6dca2321b06ef6dc8008eaa9b95f20948c6865e6a2f54a74702d389c1c1de 6137 
ruby-ox_2.8.2-1_source.buildinfo
Files:
 168c8852e890450d5fc1989b1b04c40d 1607 ruby optional ruby-ox_2.8.2-1.dsc
 6e16022002fe0701aafa6bfc71b2d3ae 79209 ruby optional ruby-ox_2.8.2.orig.tar.gz
 ecc166ac9a03c5d7527a14d7cf807bd8 3188 ruby optional 
ruby-ox_2.8.2-1.debian.tar.xz
 9e72028599d5c003c306fb7181cadc37 6137 ruby optional 
ruby-ox_2.8.2-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEnM1rMZ2/jkCrGr0aia+CtznNIXoFAloQP8QACgkQia+CtznN
IXoM8ggAlvZTDQ3CimHdk/EIGWHNqz1QoxuAS4vk3IAIGi0Lzfb8J7wX9e4mj1ed
rIef72BcYue/uzUgwHWPEoua2H/3Wej0oR1IgZzOpTq/5w2j+SEbcBMGYI9ScMO3