Debian Bug report logs - #494401
ruby1.8: New release (1.8.7-p71) with vulnerabilities fixes

version graph

Package: ruby1.8; Maintainer for ruby1.8 is (unknown);

Reported by: Daigo Moriwaki <daigo@debian.org>

Date: Sat, 9 Aug 2008 03:36:02 UTC

Severity: grave

Tags: security

Found in versions ruby1.8/1.8.7.22-2, ruby1.8/1.8.5-4etch2

Fixed in version ruby1.8/1.8.7.72-1

Done: Lucas Nussbaum <lucas@lucas-nussbaum.net>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, akira yamada <akira@debian.org>:
Bug#494401; Package ruby1.8. (full text, mbox, link).


Acknowledgement sent to Daigo Moriwaki <daigo@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, akira yamada <akira@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daigo Moriwaki <daigo@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby1.8: New release (1.8.7-p71) with vulnerabilities fixes
Date: Sat, 09 Aug 2008 12:34:02 +0900
Package: ruby1.8
Version: 1.8.7.22-2
Severity: grave
Tags: security

A new version (1.8.7-p71) has been released and fixed multiple
vulnerabilities[1].

* Several vulnerabilities in safe level
* DoS vulnerability in WEBrick
* Lack of taintness check in dl
* DNS spoofing vulnerability in resolv.rb (CVE-2008-1447[2])

The following pacakges in Debian are affected:

  * ruby1.8
    - unstable: 1.8.7.22-3
    - testing:  1.8.7.22-2
    - stable:   1.8.5-4etch2

[1] http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447

Regards,
Daigo

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.eucJP, LC_CTYPE=ja_JP.eucJP (charmap=EUC-JP)
Shell: /bin/sh linked to /bin/bash

Versions of packages ruby1.8 depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libruby1.8                    1.8.7.22-2 Libraries necessary to run Ruby 1.

ruby1.8 recommends no packages.

Versions of packages ruby1.8 suggests:
ii  rdoc1.8                       1.8.7.22-2 Generate documentation from Ruby s
ii  ri1.8                         1.8.7.22-2 Ruby Interactive reference (for Ru
ii  ruby1.8-examples              1.8.7.22-2 Examples for Ruby 1.8

-- no debconf information




Bug marked as found in version 1.8.5-4etch2. Request was from Daigo Moriwaki <daigo@debian.org> to control@bugs.debian.org. (Sat, 09 Aug 2008 03:45:02 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#494401; Package ruby1.8. (full text, mbox, link).


Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (full text, mbox, link).


Message #12 received at 494401@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 494402@bugs.debian.org, 494401@bugs.debian.org
Subject: one more issue
Date: Sat, 30 Aug 2008 16:36:40 +1000
[Message part 1 (text/plain, inline)]
Hi

Please also address the issue below. A CVE id for this issue has been 
requested.
Thanks for your work.

Cheers
Steffen

Ruby upstream has announced another security flaw
(DoS vulnerability in REXML module):

http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/

Test case available in part: "Impact".

Proposed preliminary fix: 
http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb

Testing status: REXML parsing of provided *.xml file causes
                100% cpu usage for about 1 and 1/4 minutes
                (checked the ruby-1.8.5-5.5 case).
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, akira yamada <akira@debian.org>:
Bug#494401; Package ruby1.8. (full text, mbox, link).


Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to akira yamada <akira@debian.org>. (full text, mbox, link).


Message #17 received at 494401@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 494402@bugs.debian.org
Cc: 494401@bugs.debian.org
Subject: Re: one more issue
Date: Sat, 30 Aug 2008 16:39:40 +1000
[Message part 1 (text/plain, inline)]
On Sat, 30 Aug 2008 04:36:40 pm Steffen Joeris wrote:
> Hi
>
> Please also address the issue below. A CVE id for this issue has been
> requested.
> Thanks for your work.
Ugh, this was already reported as #496808 and is tracked via CVE-2008-3790, so 
please ignore my email.

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Reply sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Daigo Moriwaki <daigo@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #22 received at 494401-close@bugs.debian.org (full text, mbox, reply):

From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
To: 494401-close@bugs.debian.org
Subject: Bug#494401: fixed in ruby1.8 1.8.7.72-1
Date: Wed, 10 Sep 2008 09:32:12 +0000
Source: ruby1.8
Source-Version: 1.8.7.72-1

We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:

irb1.8_1.8.7.72-1_all.deb
  to pool/main/r/ruby1.8/irb1.8_1.8.7.72-1_all.deb
libdbm-ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libdbm-ruby1.8_1.8.7.72-1_i386.deb
libgdbm-ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libgdbm-ruby1.8_1.8.7.72-1_i386.deb
libopenssl-ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libopenssl-ruby1.8_1.8.7.72-1_i386.deb
libreadline-ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libreadline-ruby1.8_1.8.7.72-1_i386.deb
libruby1.8-dbg_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libruby1.8-dbg_1.8.7.72-1_i386.deb
libruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libruby1.8_1.8.7.72-1_i386.deb
libtcltk-ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/libtcltk-ruby1.8_1.8.7.72-1_i386.deb
rdoc1.8_1.8.7.72-1_all.deb
  to pool/main/r/ruby1.8/rdoc1.8_1.8.7.72-1_all.deb
ri1.8_1.8.7.72-1_all.deb
  to pool/main/r/ruby1.8/ri1.8_1.8.7.72-1_all.deb
ruby1.8-dev_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/ruby1.8-dev_1.8.7.72-1_i386.deb
ruby1.8-elisp_1.8.7.72-1_all.deb
  to pool/main/r/ruby1.8/ruby1.8-elisp_1.8.7.72-1_all.deb
ruby1.8-examples_1.8.7.72-1_all.deb
  to pool/main/r/ruby1.8/ruby1.8-examples_1.8.7.72-1_all.deb
ruby1.8_1.8.7.72-1.diff.gz
  to pool/main/r/ruby1.8/ruby1.8_1.8.7.72-1.diff.gz
ruby1.8_1.8.7.72-1.dsc
  to pool/main/r/ruby1.8/ruby1.8_1.8.7.72-1.dsc
ruby1.8_1.8.7.72-1_i386.deb
  to pool/main/r/ruby1.8/ruby1.8_1.8.7.72-1_i386.deb
ruby1.8_1.8.7.72.orig.tar.gz
  to pool/main/r/ruby1.8/ruby1.8_1.8.7.72.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 494401@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lucas Nussbaum <lucas@lucas-nussbaum.net> (supplier of updated ruby1.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 10 Sep 2008 10:27:45 +0200
Source: ruby1.8
Binary: ruby1.8 libruby1.8 libruby1.8-dbg ruby1.8-dev libdbm-ruby1.8 libgdbm-ruby1.8 libreadline-ruby1.8 libtcltk-ruby1.8 libopenssl-ruby1.8 ruby1.8-examples ruby1.8-elisp ri1.8 rdoc1.8 irb1.8
Architecture: source all i386
Version: 1.8.7.72-1
Distribution: unstable
Urgency: high
Maintainer: akira yamada <akira@debian.org>
Changed-By: Lucas Nussbaum <lucas@lucas-nussbaum.net>
Description: 
 irb1.8     - Interactive Ruby (for Ruby 1.8)
 libdbm-ruby1.8 - DBM interface for Ruby 1.8
 libgdbm-ruby1.8 - GDBM interface for Ruby 1.8
 libopenssl-ruby1.8 - OpenSSL interface for Ruby 1.8
 libreadline-ruby1.8 - Readline interface for Ruby 1.8
 libruby1.8 - Libraries necessary to run Ruby 1.8
 libruby1.8-dbg - Debugging symbols for Ruby 1.8
 libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8
 rdoc1.8    - Generate documentation from Ruby source files (for Ruby 1.8)
 ri1.8      - Ruby Interactive reference (for Ruby 1.8)
 ruby1.8    - Interpreter of object-oriented scripting language Ruby 1.8
 ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8
 ruby1.8-elisp - ruby-mode for Emacsen
 ruby1.8-examples - Examples for Ruby 1.8
Closes: 494401 496808
Changes: 
 ruby1.8 (1.8.7.72-1) unstable; urgency=high
 .
   * New upstream release.
     - many patches in 1.8.7.22-4 were simply backported from upstream SVN, and
       are integrated into that release. We drop those:
       + 103_array_c_r17472_to_r17756.dpatch
       + 810_ruby187p22_fixes.dpatch
       + 811_multiple_vuln_200808.dpatch
     - Fixes the following security issues: (Closes: #494401)
       * Several vulnerabilities in safe level
       * DoS vulnerability in WEBrick
       * Lack of taintness check in dl
       * DNS spoofing vulnerability in resolv.rb (CVE-2008-1447)
   * Applied debian/patches/168_rexml_dos.dpatch:
     Fix CVE-2008-3790 (REXML expansion DOS). Closes: #496808.
Checksums-Sha1: 
 5fade39fa35c59429ae08130c25870017e9411f0 1617 ruby1.8_1.8.7.72-1.dsc
 fe1c5ffad9924076f36768890255f022c51f9a4e 4805594 ruby1.8_1.8.7.72.orig.tar.gz
 40f5331a41249eae121a2dc30d57129fee27c26a 48378 ruby1.8_1.8.7.72-1.diff.gz
 dc6b0601a7b02cd6b70be894227cbc1acd7d1ab5 308268 ruby1.8-examples_1.8.7.72-1_all.deb
 a6be6112ad4de3649e0d96037776bfa923c8db51 277682 ruby1.8-elisp_1.8.7.72-1_all.deb
 80367f118d4a7b387a25f2ab7ef818f09fbc2e63 1411468 ri1.8_1.8.7.72-1_all.deb
 75e69d0a962b788cbab3a5a7525c7416fd928782 377778 rdoc1.8_1.8.7.72-1_all.deb
 c953faf07d4ec95673e6e5df76ccdc1d9fd773fa 303462 irb1.8_1.8.7.72-1_all.deb
 6cee99f98696f9c163061d78181824feff86a981 282800 ruby1.8_1.8.7.72-1_i386.deb
 251f8fc745f785816ab5819b57007879aa35f05f 1673758 libruby1.8_1.8.7.72-1_i386.deb
 ba3543b59e06c3948e3e45e8226e8c9bca9bbab4 1450732 libruby1.8-dbg_1.8.7.72-1_i386.deb
 ec2f9e8b5bbca0a047d1aebaae7db7b396c5598e 825788 ruby1.8-dev_1.8.7.72-1_i386.deb
 a9bec3c727d927e661dcf42686d7dff67a2544a2 264458 libdbm-ruby1.8_1.8.7.72-1_i386.deb
 6cc39ea191776257b58c7792754ce0c24765fed8 263344 libgdbm-ruby1.8_1.8.7.72-1_i386.deb
 7ec41c118cfd5b1b3ff5f9cc49f73da8f0a98eb1 263594 libreadline-ruby1.8_1.8.7.72-1_i386.deb
 dccea8cb868c804ed1bc534721884e8ec33f20c7 2001932 libtcltk-ruby1.8_1.8.7.72-1_i386.deb
 2a4e2417ff4f971c1773d99e3a17d42be690d418 378016 libopenssl-ruby1.8_1.8.7.72-1_i386.deb
Checksums-Sha256: 
 54ec31abc5e586fbb070e467981ba534aeb93c99009e41ccb3e4722c57ba75c2 1617 ruby1.8_1.8.7.72-1.dsc
 e15ca005076f5d6f91fc856fdfbd071698a4cadac3c6e25855899dba1f6fc5ef 4805594 ruby1.8_1.8.7.72.orig.tar.gz
 adbe6a3ef05bd830ff77eb04667fa4c13bc04337a6936770290cb988e2bddec4 48378 ruby1.8_1.8.7.72-1.diff.gz
 da8ff2843a2342383bd3d766f79c7db822299861764fa6fa8d06120ca8ab7475 308268 ruby1.8-examples_1.8.7.72-1_all.deb
 6658e02877b87bf4da3edfc6742faa161f24216bd3a6deb31c4e201826a91130 277682 ruby1.8-elisp_1.8.7.72-1_all.deb
 3f84291da587d0607a4c65501474990746716508b55da55689fda706e8882f23 1411468 ri1.8_1.8.7.72-1_all.deb
 eafc787f8ab13113c54acea9de6d61471f023b948f8c962d57bc2f937c5eb05f 377778 rdoc1.8_1.8.7.72-1_all.deb
 2406340b0823c8991bb9dc12521e98740e285c7420fea70f2f2c9c565c8e4f2a 303462 irb1.8_1.8.7.72-1_all.deb
 1793e4fb0d9e6de2c7443ab417b589990ae8ec3e6bdcf1856ecc666a73787839 282800 ruby1.8_1.8.7.72-1_i386.deb
 e8c15025891443a8b2df0160a71462c25eab8f13c0c8b680c3a4ecc71a23b787 1673758 libruby1.8_1.8.7.72-1_i386.deb
 bcd4e4e5b7fb012805e2c22f1e98619704954c0b4731d3e6ba2bf3ec1109474d 1450732 libruby1.8-dbg_1.8.7.72-1_i386.deb
 0f729e1c6bccc26e5a034ab8dcfda603a3396e66d9524e65b38508fb60ed5312 825788 ruby1.8-dev_1.8.7.72-1_i386.deb
 93e0278ec89b15200df07386da272fc8a86b6f14549d746b70cb84ba958b74d7 264458 libdbm-ruby1.8_1.8.7.72-1_i386.deb
 792a4a3de2c8bebde6b8ab5333137755fb53c16fc09580902eb983acc07cd819 263344 libgdbm-ruby1.8_1.8.7.72-1_i386.deb
 14196a64f1d2b9bacabeafb7a3ad9ef4d0d8d8d0c1b4e1ba0565446344f615a5 263594 libreadline-ruby1.8_1.8.7.72-1_i386.deb
 42280f99f7a2ef3369045879a369888adc8ae005077cbd4756453ec62e8eba05 2001932 libtcltk-ruby1.8_1.8.7.72-1_i386.deb
 f6d17cd48c76bee97232d85016f003778b34ad742076a0f910824b0b15673bd4 378016 libopenssl-ruby1.8_1.8.7.72-1_i386.deb
Files: 
 46a174440af588410b28bef7ff05dfe3 1617 interpreters optional ruby1.8_1.8.7.72-1.dsc
 5e5b7189674b3a7f69401284f6a7a36d 4805594 interpreters optional ruby1.8_1.8.7.72.orig.tar.gz
 57f6ef36973a901dc15523e8c167c11d 48378 interpreters optional ruby1.8_1.8.7.72-1.diff.gz
 fd3bc19f8ccab85a7e712e0b99d23665 308268 interpreters optional ruby1.8-examples_1.8.7.72-1_all.deb
 8252a55bea45582f4ac944b4adb5127b 277682 interpreters optional ruby1.8-elisp_1.8.7.72-1_all.deb
 58b1a8bbb7d9697df1b22a72b3cc97fa 1411468 interpreters optional ri1.8_1.8.7.72-1_all.deb
 ec6a623d465b5d25c32f963d65ba6dc2 377778 doc optional rdoc1.8_1.8.7.72-1_all.deb
 17f8705ceba3c54342f883fe764a9f40 303462 interpreters optional irb1.8_1.8.7.72-1_all.deb
 b3154fada68a48f535d58e0a694ec7e3 282800 interpreters optional ruby1.8_1.8.7.72-1_i386.deb
 643693622707cc369741183dd6500e85 1673758 libs optional libruby1.8_1.8.7.72-1_i386.deb
 24ec822a841996c3443c0b74ab115c46 1450732 libdevel extra libruby1.8-dbg_1.8.7.72-1_i386.deb
 306c79f4810b70197df86b6859907b7c 825788 devel optional ruby1.8-dev_1.8.7.72-1_i386.deb
 c23837051816e2a8756f1eae243efcad 264458 interpreters optional libdbm-ruby1.8_1.8.7.72-1_i386.deb
 d4e6b3016b9bb09546bfdcf7ba1ef5cb 263344 interpreters optional libgdbm-ruby1.8_1.8.7.72-1_i386.deb
 29e26584235749c30aba5448e08cdc1d 263594 interpreters optional libreadline-ruby1.8_1.8.7.72-1_i386.deb
 51998d79f775bb8f6ccb6000cca64e75 2001932 interpreters optional libtcltk-ruby1.8_1.8.7.72-1_i386.deb
 b875864048e054a365e4700908839608 378016 interpreters optional libopenssl-ruby1.8_1.8.7.72-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIx5Kj2hliNwI7P08RAkbfAJ0dn8c7pyaNU4uDCGhyCcIDbFZJTQCfVNue
RQrc3/fcw1eoS7x1iBmA66w=
=hzvs
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 07:29:09 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 10:07:26 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.