Your message dated Sat, 09 Nov 2019 09:05:19 +0000 with message-id <e1itmgj-000dzv...@fasolo.debian.org> and subject line Bug#941222: fixed in ruby-zip 2.0.0-1 has caused the Debian Bug report #941222, regarding ruby-zip: CVE-2019-16892 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 941222: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941222 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-zip Version: 1.2.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/rubyzip/rubyzip/pull/403 Hi, The following vulnerability was published for ruby-zip. CVE-2019-16892[0]: | In Rubyzip before 1.3.0, a crafted ZIP file can bypass application | checks on ZIP entry sizes because data about the uncompressed size can | be spoofed. This allows attackers to cause a denial of service (disk | consumption). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16892 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16892 [1] https://github.com/rubyzip/rubyzip/pull/403 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-zip Source-Version: 2.0.0-1 We believe that the bug you reported is fixed in the latest version of ruby-zip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 941...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. David Suárez <david.sephi...@gmail.com> (supplier of updated ruby-zip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 09 Nov 2019 00:32:04 +0100 Source: ruby-zip Architecture: source Version: 2.0.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: David Suárez <david.sephi...@gmail.com> Closes: 941222 Changes: ruby-zip (2.0.0-1) unstable; urgency=medium . [ David Suárez ] * New Upstream version (Closes: #941222). * d/control: - Update Standards version; (no changes needed). - Bump debhelper from 9 to 12. - Add myself as uploader. - Wrap and sort. - Add 'Rules-Requires-Root' field. - Change architecture to arch-all. * d/watch: fix package rename. * d/copyright: - Update debian related files years. - Update format URL to secure protocol. * Add upstream data. * Clean trailing whitespace. * d/patches: - Drop 'fix-random-tests-failures'; Applied upstream. - Drop 'ignore-simplecov.diff'; Seems to work now. * Drop d/source/include-binaries; Is unused. Checksums-Sha1: 38da75277d3e7412b08cca762268f87619b12be2 1731 ruby-zip_2.0.0-1.dsc 326309de6a78faa6412fc00e5617a05ad23413c7 156754 ruby-zip_2.0.0.orig.tar.gz 7c9b7a349ba772f6d90d0873e754630c44560bae 5024 ruby-zip_2.0.0-1.debian.tar.xz eaeae726658126ec38654cb23b6b8f9e9055a7f7 13775 ruby-zip_2.0.0-1_source.buildinfo Checksums-Sha256: 4a877c300d0e8d8929964d71d5dd6438432f9820a5be437641a96f6206a8a188 1731 ruby-zip_2.0.0-1.dsc 96bfb2ea82f5eccc8d41984b5212ea4ac7eae5dfb28028221511730baca8a388 156754 ruby-zip_2.0.0.orig.tar.gz f941406f134d4c6d4d0cedcec22f45096eb53f3375e79c511647a6f63f43e710 5024 ruby-zip_2.0.0-1.debian.tar.xz 3ad3872077e3ad9563d7957b5b354f61310fa9bedb439abcb4a5cde9f7e643e6 13775 ruby-zip_2.0.0-1_source.buildinfo Files: 0e8163369365ed87d47049dcf7218c4d 1731 ruby optional ruby-zip_2.0.0-1.dsc 89a6fee27c67cb758b7931b78ddb493e 156754 ruby optional ruby-zip_2.0.0.orig.tar.gz b1234f2dd2af11ce024b9da40f408895 5024 ruby optional ruby-zip_2.0.0-1.debian.tar.xz d459f6816be15931565bd1e00872f9e2 13775 ruby optional ruby-zip_2.0.0-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEnM1rMZ2/jkCrGr0aia+CtznNIXoFAl3Ge30ACgkQia+CtznN IXqCGwf/Ro45Vg7m3xzIXcVwwSlEjyPE1wTwoyP/9Y8DdANHZRYHt7g6W8Q6Uar2 TqiuRXvi0tCAAP5CjY1KWakafgzC8ZMOfE+OcM6Vy0zi0uSTjursR6oUv4XAMbdH KMT8/7SWdLylskjj75gB1FWKSwiEvjBPOy8LjqOf/vEvp0b39TSA/Qxh1gVg5Tsq V3za4j3p/YBmiu/qa13wSyqNEE8H4mlLkI0EAVjLdkoWVJFxNZfjFqXGmqg+DktY I0gE30/eF6WbmuRMNvsc25PinQjGM8gWVLYyvncb6xmZ2vkh0rfgnFbubHUBCfFM 3TrK/trThIzv9pWa2c/5ZmAHNrqNhQ== =v4ro -----END PGP SIGNATURE-----
--- End Message ---
