Debian Bug report logs - #1016140
rails: CVE-2022-32224

version graph

Package: src:rails; Maintainer for src:rails is Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Wed, 27 Jul 2022 20:57:06 UTC

Severity: grave

Tags: security, upstream

Found in versions rails/2:6.0.3.7+dfsg-2, rails/2:6.1.4.7+dfsg-2

Fixed in version rails/2:6.1.6.1+dfsg-1

Done: Gabriela Pivetta <gpivetta99@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#1016140; Package src:rails. (Wed, 27 Jul 2022 20:57:08 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 27 Jul 2022 20:57:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: rails: CVE-2022-32224
Date: Wed, 27 Jul 2022 22:56:22 +0200
Source: rails
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for rails.

CVE-2022-32224[0]:
https://github.com/advisories/GHSA-3hhc-qp5v-9p2j

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-32224
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32224

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 31 Jul 2022 14:15:07 GMT) (full text, mbox, link).

Marked as found in versions rails/2:6.1.4.7+dfsg-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 31 Jul 2022 14:15:09 GMT) (full text, mbox, link).

Marked as found in versions rails/2:6.0.3.7+dfsg-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 31 Jul 2022 14:15:10 GMT) (full text, mbox, link).

Reply sent to Gabriela Pivetta <gpivetta99@gmail.com>:
You have taken responsibility. (Tue, 23 Aug 2022 19:09:05 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Tue, 23 Aug 2022 19:09:05 GMT) (full text, mbox, link).

Message #16 received at 1016140-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1016140-close@bugs.debian.org
Subject: Bug#1016140: fixed in rails 2:6.1.6.1+dfsg-1
Date: Tue, 23 Aug 2022 19:07:03 +0000
Source: rails
Source-Version: 2:6.1.6.1+dfsg-1
Done: Gabriela Pivetta <gpivetta99@gmail.com>

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1016140@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gabriela Pivetta <gpivetta99@gmail.com> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 18 Aug 2022 15:46:46 -0300
Source: rails
Architecture: source
Version: 2:6.1.6.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Gabriela Pivetta <gpivetta99@gmail.com>
Closes: 1011941 1016140 1016982
Changes:
 rails (2:6.1.6.1+dfsg-1) unstable; urgency=medium
 .
   [ Pirate Praveen ]
   * Remove <!nocheck> build profile from runtime dependencies.
 .
   [ Utkarsh Gupta ]
   * New upstream version 6.1.6.1+dfsg. (Fixes: CVE-2022-22577,
     CVE-2022-27777, CVE-2022-32224) (Closes: #1011941, #1016982, #1016140)
   * d/control: Update minimum version of ruby-selenium-webdriver to 4.0.0
     for autopkgtest. :)
 .
   [ Gabriela Pivetta ]
   * d/p/activerecord-add-missing-require-statements.patch: Drop
     patch that has been merged upstream.
   * d/patches: Refresh patches.
Checksums-Sha1:
 f4dc127f282f34879bbcf2a5755668e0a72c586a 4798 rails_6.1.6.1+dfsg-1.dsc
 e715921994f93ed9f2cb4f4ce5925628e15d4519 8173652 rails_6.1.6.1+dfsg.orig.tar.xz
 252352526d551285d44dbee7b4f4f69fa76fa058 101584 rails_6.1.6.1+dfsg-1.debian.tar.xz
 5a5e0478cd61d571e5d11d90b07774066e94d89a 14728 rails_6.1.6.1+dfsg-1_source.buildinfo
Checksums-Sha256:
 8d507d77b39212eabc415e7d0598ae4d0412541dd207423cf824f1ab266678b9 4798 rails_6.1.6.1+dfsg-1.dsc
 6d17ff42c877d7490a6e832f1dc540178bc9203083d7a487a2d6ce809adb1b10 8173652 rails_6.1.6.1+dfsg.orig.tar.xz
 7967178486539c5c3105253bcdb9ffb0b11a6cf0abb0cf4e113073612bc0f7c1 101584 rails_6.1.6.1+dfsg-1.debian.tar.xz
 e99aa9f9aedccc59a88562a4af6f407dd4cc57730d082229832f0e56e394b242 14728 rails_6.1.6.1+dfsg-1_source.buildinfo
Files:
 837d10aac534854f5302931b68376a9a 4798 ruby optional rails_6.1.6.1+dfsg-1.dsc
 8eb8019844e018cf1e1356c3fbab51c9 8173652 ruby optional rails_6.1.6.1+dfsg.orig.tar.xz
 787e0c20b8d27ba0e5a24f7f98c87583 101584 ruby optional rails_6.1.6.1+dfsg-1.debian.tar.xz
 c325a6a49df70054ef8bda47c034ce1e 14728 ruby optional rails_6.1.6.1+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmMFHdkACgkQgj6WdgbD
S5YDiBAAxo9hLFbfh3mQJCRbFpuEXnMUfq584G/hyg6mRuE8rU2SkoTe0NvTNp8p
5rVeepxnFH+yUnb8Br8BTtTi6kaFf3yBUcJi29zLO5BeEFj6V1gZECa+DVztpGgN
1djhCDYKVB7lYXx5rCAVU8TurjPXhXnQ3XO6958UE1renItAv/B3KHZY/gd8XzFw
z2EYXV5Hd4vo9KSWGiaG/RWD8AJajICs/IqjDNHyNGepvhR+6o3Jtor/1ZHRTdIE
IUqVtq8XQDvvuk+Z+NPqkEVXwLELg/H8nNyJGzSTrks4szG5ZyB7toziArV4Q0Dg
t5bm7Fp9N1flyat2zLTgkH9yteEA56f91Z5wrZeRNMNvAUtGtXmOQGQsgpWriwWL
jc+JsCWF+iMmJLmoJfEvNRY8uHp9wlh0xQ2U/CPE23Mu8xz3ZHJv67YPHs7Cxvb1
+BGuM/xVu7kd9iMiYpKImqoj54Rf1WVEOF5LDmQ3s7EomgAgte8Iy3p5zX/AK73o
HbVPwJS5jKOS1b6cA2ejDX2mEnenv/mLFtjWHME4uaBHhn2F7j1/l5SRfPDINerO
DX+xC1TkNAsHS/rdn8u0+iONcLPgonWhMl8spzgY7ZydA6YtdsOEIX+8oowlWLTo
Kwv8dxj4+O3syXhb9qRP7M7xICyVeRP1DoGqD9Tc02ASnP9vrrY=
=SPww
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Jul 2023 07:34:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Oct 8 03:08:26 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.