Source: gitlab
Version: 10.6.2+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: clone -1 -2 -3
Control: retitle -1 gitlab: Confidential issue comments in Slack, Mattermost,
and webhook integrations
Control: retitle -2 gitlab: Persistent XSS in milestones
Control: retitle -1 gitlab: CVE-2018-8801 CVE-2018-8971
Hi
On Fri, Mar 23, 2018 at 06:22:47PM +0100, Moritz Muehlenhoff wrote:
> Package: gitlab
> Severity: grave
> Tags: security
>
> Please see
> https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/
The
Source: ruby-sanitize
Version: 2.1.0-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/rgrove/sanitize/issues/176
Hi,
the following vulnerability was published for ruby-sanitize.
CVE-2018-3740[0]:
Sanitize HTML injection vulnerability
Code has changed quite a
Source: ruby-loofah
Version: 2.0.3-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/flavorjones/loofah/issues/144
Hi,
the following vulnerability was published for ruby-loofah.
CVE-2018-8048[0]:
XSS vulnerability
The issue is actually raised by an underlying
Source: ruby-rack-protection
Version: 1.5.2-1
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for ruby-rack-protection.
CVE-2018-1000119[0]:
Timing attack in authenticity_token.rb
If you fix the vulnerability please also make sure to include the
CVE
Source: ruby-doorkeeper
Version: 4.2.0-3
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/doorkeeper-gem/doorkeeper/issues/969
Hi,
the following vulnerability was published for ruby-doorkeeper.
CVE-2018-188[0]:
Stored XSS vulnerability
If you fix the
Source: ruby-omniauth
Version: 1.2.1-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://github.com/omniauth/omniauth/pull/867
Control: fixed -1 1.6.1-1
For tracking this security issue in ruby-omniauth:
> Request phase of omniauth store request.params in session
Source: gitlab
Version: 8.13.11+dfsg1-12
Severity: grave
Tags: upstream security
Hi
See
https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/
for which several go back to 8.9.0 versions.
There are three CVEs out of
https://security-tracker.debian.org/tracker/source-package/gitlab
Source: redmine
Version: 3.3.1-1
Severity: important
Tags: security upstream
Forwarded: https://www.redmine.org/issues/27516
Hi,
the following vulnerability was published for redmine.
CVE-2017-18026[0]:
| Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does
| not block the
Source: ruby-net-ldap
Version: 0.12.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/ruby-ldap/ruby-net-ldap/issues/258
Hi,
the following vulnerability was published for ruby-net-ldap.
CVE-2017-17718[0]:
| The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has
Source: passenger
Version: 5.0.30-1
Severity: important
Tags: patch security upstream fixed-upstrream
Hi,
the following vulnerability was published for passenger.
CVE-2017-16355[0]:
| In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed
| in Passenger Open Source 5.1.11 and
Hi Cédric,
On Fri, Dec 01, 2017 at 10:44:22PM +0100, Cédric Boutillier wrote:
> Hi,
>
> I have prepared a patch for Debian bug #882034 (CVE-2017-1000248) from
> by adapting the upstream patch from
>
> https://github.com/redis-store/redis-store/pull/290
>
> (which should be applied after
>
Source: redmine
Version: 3.3.1-4
Severity: important
Tags: patch security upstream
Forwarded: https://www.redmine.org/issues/27186
Hi,
the following vulnerability was published for redmine.
CVE-2017-15570[0]:
| In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3,
| XSS exists in
Source: redmine
Version: 3.3.1-4
Severity: important
Tags: patch security upstream
Forwarded: https://www.redmine.org/issues/27186
Hi,
the following vulnerability was published for redmine.
CVE-2017-15571[0]:
| In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3,
| XSS exists in
Source: redmine
Version: 3.3.1-4
Severity: important
Tags: patch security upstream
Forwarded: https://www.redmine.org/issues/27186
Hi,
the following vulnerability was published for redmine.
CVE-2017-15569[0]:
| In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3,
| XSS exists in
Source: ruby-redis-store
Version: 1.1.6-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/redis-store/redis-store/issues/289
Control: found -1 1.3.0-1
Hi,
the following vulnerability was published for ruby-redis-store.
CVE-2017-1000248[0]:
| Redis-store =v1.3.0
Source: ruby-ox
Version: 2.1.1-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/ohler55/ox/issues/194
Hi,
the following vulnerability was published for ruby-ox.
Rationale for RC severity: think the issue warrants to be adressed for
the next stable release. The issue
Hi Chris!
On Wed, Nov 08, 2017 at 11:37:07AM +0100, Chris Hofstaedtler wrote:
> * Salvatore Bonaccorso <car...@debian.org> [171108 07:45]:
> > Dear maintainer,
> >
> > I've prepared an NMU for ruby-yajl (versioned as 1.2.0-3.1) and
> > uploaded it to DELAYED/5.
file allows to crash ruby process with a
+SIGABRT in the yajl_string_decode function (Closes: #880691)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Wed, 08 Nov 2017 07:31:37 +0100
+
ruby-yajl (1.2.0-3) unstable; urgency=medium
[ Balasankar C ]
diff -Nru ruby-yajl-1.2.0/debian/p
Source: ruby-yajl
Severity: normal
Hi
ruby-yajl embedds a copy of yajl, which is packaged for Debian.
src:yajl is packaged in Debian.
It might need first investigation, but if possible please consider
switching to the system library for ruby-yajl instead of the embeeded
copy.
Regards,
Source: ruby-yajl
Severity: wishlist
Hi
There is a new upstream version (1.3.1) ruby-yajl available. Can you
package it for unstable?
Regards,
Salvatore
___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
Source: ruby-yajl
Version: 1.2.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/brianmario/yajl-ruby/issues/176
Hi,
the following vulnerability was published for ruby-yajl.
CVE-2017-16516[0]:
| In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is
|
Control: severity -1 minor
On Thu, Aug 17, 2017 at 06:24:43PM +0530, Pirate Praveen wrote:
> On Tue, 15 Aug 2017 07:40:59 +0200 Salvatore Bonaccorso
> <car...@debian.org> wrote:> If you fix the vulnerability please also
> make sure to include the
> > CVE (Common Vulnera
Source: gitlab
Version: 8.13.11+dfsg1-8
Severity: grave
Tags: security upstream
Forwarded: https://gitlab.com/gitlab-org/gitlab-ce/issues/35212
Hi,
the following vulnerability was published for gitlab.
CVE-2017-12426[0]:
| GitLab Community Edition (CE) and Enterprise Edition (EE) before
|
Source: rubocop
Version: 0.48.1+dfsg-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/bbatsov/rubocop/issues/4336
Hi,
the following vulnerability was published for rubocop.
CVE-2017-8418[0]:
| RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing
|
Source: rbenv
Version: 1.0.0-1
Severity: normal
Tags: upstream security
Forwarded: https://github.com/rbenv/rbenv/issues/977
Hi,
the following vulnerability was published for rbenv.
CVE-2017-147[0]:
| rbenv (all current versions) is vulnerable to Directory Traversal in
| the specification
Source: ruby-mixlib-archive
Version: 0.2.0-1
Severity: important
Tags: upstream patch security fixed-upstream
Forwarded: https://github.com/chef/mixlib-archive/pull/6
Hi,
the following vulnerability was published for ruby-mixlib-archive.
CVE-2017-126[0]:
| Chef Software's mixlib-archive
Source: gitlab
Version: 8.13.11+dfsg1-3
Severity: grave
Tags: upstream security
Forwarded: https://gitlab.com/gitlab-org/gitlab-ce/issues/27471
Hi,
the following vulnerability was published for gitlab. Please note I
was not able to verfy that affects back 8.13.11, and the merge request
has
Control: reassign -1 src:ruby-zip
Control: forcemerge 856269 -1
Hi
On Fri, Mar 03, 2017 at 02:13:43PM -0600, Phillip Prescher wrote:
> Package: ruby-zip
> Version: 1.1.6-1
>
> Please see CVE-2017-5946. This version of the ruby-zip package is
> vulnerable to directory traversal attacks. Please
Hi Antonio,
On Tue, Feb 28, 2017 at 08:21:23AM -0300, Antonio Terceiro wrote:
> On Tue, Feb 28, 2017 at 08:08:21AM +0100, Salvatore Bonaccorso wrote:
> > Control: tags 856269 + pending
> >
> > Dear maintainer,
> >
> > I've prepared an NMU for ruby-zip (version
Hi Antonio!
On Tue, Feb 28, 2017 at 08:21:23AM -0300, Antonio Terceiro wrote:
> On Tue, Feb 28, 2017 at 08:08:21AM +0100, Salvatore Bonaccorso wrote:
> > Control: tags 856269 + pending
> >
> > Dear maintainer,
> >
> > I've prepared an NMU for ruby-zip (version
component
+(Closes: #856269)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Mon, 27 Feb 2017 17:38:59 +0100
+
ruby-zip (1.2.0-1) unstable; urgency=medium
* Team upload.
diff -Nru ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch
--- ru
Source: ruby-zip
Version: 1.1.6-1
Severity: grave
Tags: upstream patch security
Forwarded: https://github.com/rubyzip/rubyzip/issues/315
Hi,
the following vulnerability was published for ruby-zip.
CVE-2017-5946[0]:
| The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a
|
Hi Markus,
On Mon, Jan 30, 2017 at 09:28:35AM +0100, Markus Frosch wrote:
> On 30.01.2017 07:08, Salvatore Bonaccorso wrote:
> > I've prepared an NMU for ruby-minitar (versioned as 0.5.4-3.1) and
> > uploaded it to DELAYED/5. Please feel free to tell me if I
> > s
vulnerability (Closes: #853075)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Mon, 30 Jan 2017 07:00:07 +0100
+
ruby-minitar (0.5.4-3) unstable; urgency=medium
* [817a137] Move VCS to pkg-ruby-extras
diff -Nru ruby-minitar-0.5.4/debian/patches/CVE-2016-10173.patch ruby-minitar-0.5.4/debian/patch
Source: ruby-minitar
Version: 0.5.4-3
Severity: grave
Tags: security upstream patch
Forwarded: https://github.com/halostatue/minitar/issues/16
Hi,
the following vulnerability was published for ruby-minitar.
CVE-2016-10173[0]:
directory traversal vulnerability
There is an upstream bug for it at
Source: ruby-minitar
Version: 0.5.4-3
Severity: normal
Hi
/usr/bin/minitar as shipped in ruby-minitar is not working. Trying to
extract a tar.gz with it raises:
$ minitar extract test.tar.gz
/usr/bin/minitar:19:in `': undefined method `require_gem' for main:Object
(NoMethodError)
Did you
Source: gitlab
Version: 8.13.3+dfsg1-2
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for gitlab.
CVE-2016-9469[0]:
|Denial-of-Service and Data Corruption Vulnerability in Issue and Merge
|Request Trackers
If you fix the vulnerability please also make
Source: gitlab
Version: 8.10.5+dfsg-3
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for gitlab.
CVE-2016-9086[0]:
| GitLab versions 8.9.x and above contain a critical security flaw in the
| "import/export project" feature
Package: bundler
Version: 1.7.4-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for bundler.
CVE-2016-7954[0]:
code execution via gem name collission in bundler
Please correct me if I'm wrong. As far I understand, this issue cannot
be fixed within
Hi!
On Sat, Aug 27, 2016 at 02:58:13PM +0530, Pirate Praveen wrote:
> On Thu, 25 Aug 2016 21:44:23 +0200 Salvatore Bonaccorso
> <car...@debian.org> wrote:
> > Control: fixed -1 4.2.0-1
> > Hi
> >
> > This seems to have been addressed in 4.2.0 upstream (wh
Control: fixed -1 4.2.0-1
Hi
This seems to have been addressed in 4.2.0 upstream (which was
uploaded to experimental), but the debian/changelog does not mention
the bug closer nor the CVE id; any reason for that or just an
oversight?
Regards,
Salvatore
Source: ruby-saml
Version: 1.1.2-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for ruby-saml.
CVE-2016-5697[0]:
signature wrapping attack vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common
Source: chef
Version: 12.3.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/chef/chef/issues/3871
Hi,
the following vulnerability was published for chef.
CVE-2015-8559[0]:
knife bootstrap leaks validator privkey into system logs
AFAICS no fix is yet available
Source: passenger
Version: 5.0.7-3
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for passenger.
CVE-2015-7519[0]:
Header overwriting issue
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities &
Control: retitle ruby-devise-two-factor: CVE-2015-7225: TOTP Replay Attack
Hi,
On Wed, Sep 09, 2015 at 07:10:29PM +0200, Moritz Muehlenhoff wrote:
> Package: ruby-devise-two-factor
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
> please see
Hi,
(Adding Antonio to the loop who did the previous uploads)
On Thu, Jul 30, 2015 at 06:36:56PM +0900, Youhei SASAKI wrote:
Hi,
Thanks your review.
On Thu, 30 Jul 2015 04:49:12 +0900,
Salvatore Bonaccorso car...@debian.org wrote:
# BTW, due to the unreported FTBFS issue about ruby
Hi,
On Thu, Jul 30, 2015 at 09:58:27PM +0200, Salvatore Bonaccorso wrote:
The targetting distribution was still set to 'unstable'. I have fixed
that in the attached debdiffs and added the patch for jessie-security
(can you import them in your VCS please?). I have uploaded to
security-master
Hi,
Thanks for working on this issue!
On Wed, Jul 29, 2015 at 05:30:34PM +0900, Youhei SASAKI wrote:
Dear Debian Security Team
I'v created patche in order to fix CVE-2015-3225 for wheezy, jessie.
#789311 (CVE-2015-3225)
Please consider to update stable version of ruby-rack with
Source: rails
Version: 2:4.1.8-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for rails.
CVE-2015-3227[0]:
Denial of Service
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities
Source: rails
Version: 2:4.1.8-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for rails.
CVE-2015-3226[0]:
XSS Vulnerability in ActiveSupport::JSON.encode
If you fix the vulnerability please also make sure to include the
CVE
Source: ruby-jquery-rails
Version: 3.1.2-6
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for ruby-jquery-rails,
filling for reference as well in the BTS.
CVE-2015-1840[0]:
CSRF vulnerability in jquery-rails
If you fix the vulnerability
Source: ruby-bson
Version: 1.10.0-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for ruby-bson.
CVE-2015-4410[0]:
DoS and possible injection
If you fix the vulnerability please also make sure to include the
CVE (Common
Source: rails-3.2
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
Hi,
the following vulnerability was published for rails-3.2.
CVE-2014-0130[0]:
Directory Traversal Vulnerability With Certain Route Configurations
If you fix the vulnerability please also
Source: rails-4.0
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for rails-4.0.
CVE-2014-0130[0]:
Directory Traversal Vulnerability With Certain Route Configurations
If you fix the vulnerability please also make sure to include the
CVE
Hi Jonas, hi Moritz,
On Fri, Mar 28, 2014 at 07:49:18PM +0100, Jonas Genannt wrote:
Hello Moritz,
thanks for your report. I have checked the version in Debian, and I think
they are not
affected by this SSHA salt problem:
Package: ruby-will-paginate
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for ruby-will-paginate.
CVE-2013-6459[0]:
XSS vulnerabilities
It is fixed in a new upstream version 3.0.5[1].
If you fix the vulnerability please also make sure
Hi Per,
On Mon, Nov 25, 2013 at 01:20:42AM +0100, Per Andersson wrote:
On Sun, Nov 10, 2013 at 8:58 PM, Salvatore Bonaccorso car...@debian.org
wrote:
Hi Per,
Did you had time to prepare the fixes for unstable?
Still working with the latest upstream release. Hope it will be done
soon
Package: sup-mail
Severity: grave
Tags: security upstream patch fixed-upstream
Hi
A remote command injection in sup-mail was reported, see [0] and [1]
for more details. Upstream also released new versions fixing this
issue, see [3] for the diff between 0.13.2 and 0.13.2.1.
[0]
Control: retitle -1 sup-mail: CVE-2013-4478: remote command injection in
content_type
Control: user debian-secur...@lists.debian.org
Control: usertags -1 + tracked
Hi
CVE-2013-4478 was now assigned to this issue.
Regards,
Salvatore
___
Control: retitle -1 sup-mail: CVE-2013-4478 and CVE-2013-4479
Actually I was not correct, there should be two issues:
CVE-2013-4478: For the issue specifically covered in
http://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt which
is
Hi
Please see also the followups
http://article.gmane.org/gmane.comp.security.oss.general/11137
Regards,
Salvatore
___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
Hi Cédric
On Tue, May 07, 2013 at 10:51:20AM +0200, Cédric Boutillier wrote:
Dear PET developpers,
We've noticed that the PET service for the Ruby Team
http://pet.debian.net/pkg-ruby-extras/pet.cgi
has not been receiving updates from the repos for at least a few days.
I've tried to move
Control: retitle -1 Update libextlib-ruby / ruby-extlib for vulnerabilities
(Re: CVE-2013-1802)
Hi
A separate CVE was assigned to this vulerability: CVE-2013-1802
Regards,
Salvatore
___
Pkg-ruby-extras-maintainers mailing list
Source: ruby-rack
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for ruby-rack.
CVE-2013-0262[0]:
Path sanitization information disclosure
CVE-2013-0263[1]:
Timing attack in cookie sessions
If you fix the vulnerabilities please also make sure to include the
Control: clone -1 -2
Control: retitle -1 ruby-rack: CVE-2013-0262: Path sanitization information
disclosure
Control: retitle -2 ruby-rack: CVE-2013-0263: Timing attack in cookie sessions
Hi
On Sun, Feb 10, 2013 at 11:14:50AM +0900, Satoru KURASHIKI wrote:
hi,
For further information see:
Package: rails
Severity: grave
Tags: security
Justification: user security hole
Hi
The following advisory was made for rails:
[1] http://weblog.rubyonrails.org/
[2]:
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo
Disclaimer: I have not checked which
+++ libextlib-ruby-0.9.13/debian/changelog
@@ -1,3 +1,11 @@
+libextlib-ruby (0.9.13-2+squeeze1) stable-security; urgency=high
+
+ * Non-maintainer upload.
+ * [SECURITY] CVE-2013-0156: Remove symbol and yaml coercion from the XML
parser
+(Closes: #697895) (LP: #1098357)
+
+ -- Salvatore Bonaccorso car
and yaml coercion from the
+XML parser. (Closes: #697895) (LP: #1098357)
+
+ -- Salvatore Bonaccorso car...@debian.org Fri, 11 Jan 2013 21:14:26 +0100
+
ruby-extlib (0.9.15-2) unstable; urgency=low
* Add full text of the Ruby licence.
@@ -49 +56,0 @@
-
only in patch2:
unchanged:
--- ruby
: #1098357)
+
+ -- Salvatore Bonaccorso car...@debian.org Fri, 11 Jan 2013 20:52:05 +0100
+
libextlib-ruby (0.9.13-2) unstable; urgency=low
* std-ver - 3.8.4. No changes needed.
only in patch2:
unchanged:
--- libextlib-ruby-0.9.13.orig/spec/hash_spec.rb
+++ libextlib-ruby-0.9.13/spec
Subject: rttool: Manpage for rt2 contains subversion $Id$ marker
Source: rttool
Version: 1.0.3.0-2
Severity: minor
Hi
The manpage /usr/share/man/man1/rt2.1.gz still contains the $Id$
subversion marker.
Regards,
Salvatore
Source: rdtool
Version: 0.6.34-3
Severity: normal
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi
This for example affects vim-addon-manager which was build with newer
rdtool's rd2. rd2 -r rd/rd2man-lib does not seem to correctly generate
the manpages, quoting sections with [.
Here is an
72 matches
Mail list logo