Debian Bug report logs - #332742
ruby1.8: [CAN-2005-2337] safe mode bypass

version graph

Package: ruby1.8; Maintainer for ruby1.8 is akira yamada <akira@debian.org>; Source for ruby1.8 is src:ruby1.8.

Reported by: Martin Pitt <martin.pitt@ubuntu.com>

Date: Sat, 8 Oct 2005 09:33:08 UTC

Severity: grave

Tags: patch, security

Found in version ruby1.8/1.8.2-9

Fixed in versions ruby1.8/1.8.3-1, ruby1.8/1.8.2-7sarge2

Done: Filipus Klutiero <ido@vif.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#332742; Package ruby1.8. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
New Bug report received and forwarded. Copy sent to akira yamada <akira@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: Debian BTS Submit <submit@bugs.debian.org>
Cc: security@debian.org
Subject: ruby1.8: [CAN-2005-2337] safe mode bypass
Date: Sat, 8 Oct 2005 11:22:00 +0200
[Message part 1 (text/plain, inline)]
Package: ruby1.8
Version: 1.8.2-9
Severity: grave
Tags: security patch

Hi!

There is a safe mode bypass in all Ruby versions:

  http://www.ruby-lang.org/en/20051003.html

This page also contains a patch (which does not apply perfectly since
the XMLRPC issue is already fixed, but for eval.c it applies fine).

This has been assigned CAN-2005-2337, please mention this number in
the changelog when you fix this.

Thanks,

Martin

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#332742; Package ruby1.8. Full text and rfc822 format available.

Acknowledgement sent to akira yamada <akira@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 332742@bugs.debian.org (full text, mbox):

From: akira yamada <akira@debian.org>
To: Martin Pitt <martin.pitt@ubuntu.com>, 332742@bugs.debian.org
Subject: Re: Bug#332742: ruby1.8: [CAN-2005-2337] safe mode bypass
Date: Sat, 08 Oct 2005 22:04:49 +0900
Martin Pitt wrote:
> There is a safe mode bypass in all Ruby versions:

I already prepared the new package and
sent a notice to security team.

But I cannot yet get DSA....

-- 
akira yamada



Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#332742; Package ruby1.8. Full text and rfc822 format available.

Acknowledgement sent to Tomas Pospisek <tpo@sourcepole.ch>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. Full text and rfc822 format available.

Message #15 received at 332742@bugs.debian.org (full text, mbox):

From: Tomas Pospisek <tpo@sourcepole.ch>
To: akira@debian.org
Cc: 332742@bugs.debian.org
Subject: can be closed: ruby1.8: [CAN-2005-2337] safe mode bypass
Date: Thu, 13 Oct 2005 12:02:38 +0200 (CEST)
Hello Akira,

I think http://bugs.debian.org/332742 can be closed since the Debian 
security team issued a DSA today [1].

Greets,
*t

[1] http://www.debian.org/security/2005/dsa-864

-- 
--------------------------------------------------------
  Tomas Pospisek
  http://sourcepole.com -  Linux & Open Source Solutions
--------------------------------------------------------



Reply sent to akira yamada <akira@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Pitt <martin.pitt@ubuntu.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 332742-close@bugs.debian.org (full text, mbox):

From: akira yamada <akira@debian.org>
To: Martin Pitt <martin.pitt@ubuntu.com>, 332742-close@bugs.debian.org
Subject: Re: Bug#332742: ruby1.8: [CAN-2005-2337] safe mode bypass
Date: Wed, 19 Oct 2005 19:25:20 +0900
DSA-864 was published.



Bug marked as fixed in version 1.8.3-1, send any further explanations to Martin Pitt <martin.pitt@ubuntu.com> Request was from Filipus Klutiero <ido@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 1.8.2-7sarge2, send any further explanations to Martin Pitt <martin.pitt@ubuntu.com> Request was from Filipus Klutiero <ido@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 09:06:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 09:33:28 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.