Debian Bug report logs - #653963
ruby-rack predictable hash collisions

version graph

Package: ruby-rack; Maintainer for ruby-rack is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for ruby-rack is src:ruby-rack.

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Sun, 1 Jan 2012 22:54:08 UTC

Severity: serious

Tags: security

Fixed in version ruby-rack/1.4.0-1

Done: Paul van Tilburg <paulvt@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#653963; Package ruby-rack. (Sun, 01 Jan 2012 22:54:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sun, 01 Jan 2012 22:54:11 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: submit@bugs.debian.org
Subject: ruby-rack predictable hash collisions
Date: Sun, 1 Jan 2012 23:52:14 +0100
[Message part 1 (text/plain, inline)]
Package: ruby-rack
Severity: serious
Tags: security

Hi,

It was reported that Rack is affected by the predictable hash collisions 
attack that made its rounds around the net this week. This is tracked at
http://security-tracker.debian.org/tracker/CVE-2011-5036

Can you ensure that fixed packages are uploaded to sid as soon as possible?


Cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]

Reply sent to Paul van Tilburg <paulvt@debian.org>:
You have taken responsibility. (Tue, 03 Jan 2012 22:12:04 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Tue, 03 Jan 2012 22:12:04 GMT) Full text and rfc822 format available.

Message #10 received at 653963-close@bugs.debian.org (full text, mbox):

From: Paul van Tilburg <paulvt@debian.org>
To: 653963-close@bugs.debian.org
Subject: Bug#653963: fixed in ruby-rack 1.4.0-1
Date: Tue, 03 Jan 2012 22:09:10 +0000
Source: ruby-rack
Source-Version: 1.4.0-1

We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive:

librack-ruby1.8_1.4.0-1_all.deb
  to main/r/ruby-rack/librack-ruby1.8_1.4.0-1_all.deb
librack-ruby1.9.1_1.4.0-1_all.deb
  to main/r/ruby-rack/librack-ruby1.9.1_1.4.0-1_all.deb
librack-ruby_1.4.0-1_all.deb
  to main/r/ruby-rack/librack-ruby_1.4.0-1_all.deb
ruby-rack_1.4.0-1.debian.tar.gz
  to main/r/ruby-rack/ruby-rack_1.4.0-1.debian.tar.gz
ruby-rack_1.4.0-1.dsc
  to main/r/ruby-rack/ruby-rack_1.4.0-1.dsc
ruby-rack_1.4.0-1_all.deb
  to main/r/ruby-rack/ruby-rack_1.4.0-1_all.deb
ruby-rack_1.4.0.orig.tar.gz
  to main/r/ruby-rack/ruby-rack_1.4.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 653963@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul van Tilburg <paulvt@debian.org> (supplier of updated ruby-rack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 03 Jan 2012 22:39:13 +0100
Source: ruby-rack
Binary: ruby-rack librack-ruby1.9.1 librack-ruby1.8 librack-ruby
Architecture: source all
Version: 1.4.0-1
Distribution: unstable
Urgency: low
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Paul van Tilburg <paulvt@debian.org>
Description: 
 librack-ruby - Transitional package for ruby-rack
 librack-ruby1.8 - Transitional package for ruby-rack
 librack-ruby1.9.1 - Transitional package for ruby-rack
 ruby-rack  - Modular Ruby webserver interface
Closes: 653963
Changes: 
 ruby-rack (1.4.0-1) unstable; urgency=low
 .
   * New upstream release (closes: #653963).
Checksums-Sha1: 
 bcd3dd59d61818b391ecef310ad3a7b4679437fd 1598 ruby-rack_1.4.0-1.dsc
 2825921318a8b4609cb3421a49afb460cf70b7cf 167513 ruby-rack_1.4.0.orig.tar.gz
 a9a55fe75f27bd35ddb1dfe90ad350403183dbfc 4944 ruby-rack_1.4.0-1.debian.tar.gz
 48f91127350bee9f203d13d6ed1c56ff737719a8 79832 ruby-rack_1.4.0-1_all.deb
 cb022c1ce17f61f104a54ad9be89e1d8f3ff97c2 3580 librack-ruby1.9.1_1.4.0-1_all.deb
 77531182b9eca8c17d78dfce6630a4da515e35d9 3574 librack-ruby1.8_1.4.0-1_all.deb
 73a12be78bf527f61007587299c6d47c6234ea12 3568 librack-ruby_1.4.0-1_all.deb
Checksums-Sha256: 
 fa78cb86ae36562bd1fa9b98fc6570bf654d0b8de20384af3fa91fdbfc355fc6 1598 ruby-rack_1.4.0-1.dsc
 36dac4972d3ada61d6194955a33e60928c37ad3e29c1a0325ee821e229564b74 167513 ruby-rack_1.4.0.orig.tar.gz
 69e1c16730031491862743f8881f3b34dd20656dbf06df51d6e5111f96dc7b39 4944 ruby-rack_1.4.0-1.debian.tar.gz
 31c79b5cbf7f00804599e954e783996211a8f9195201d2cc18bca4661c071de8 79832 ruby-rack_1.4.0-1_all.deb
 d7795822d70c5b07dae0e5957c46b0782606a22501fcb3e25b67808d02fbbfc3 3580 librack-ruby1.9.1_1.4.0-1_all.deb
 3b107b65464f592041aa9f73e1fcf473fd9b2999c7ccba80c2dbca4e29d769ff 3574 librack-ruby1.8_1.4.0-1_all.deb
 479fdffa854fddf4e2e727b5a1afc918b717388bc2e62e4a9235f59bfe3ce7e1 3568 librack-ruby_1.4.0-1_all.deb
Files: 
 aba47141b8066dc1ef0c933fceea54c3 1598 ruby optional ruby-rack_1.4.0-1.dsc
 6dd2c1ce9008972001abe8d18456881a 167513 ruby optional ruby-rack_1.4.0.orig.tar.gz
 781c47bb03e15615b85aab662ea03713 4944 ruby optional ruby-rack_1.4.0-1.debian.tar.gz
 198c85d38461b45dbeb0ab407b90f71f 79832 ruby optional ruby-rack_1.4.0-1_all.deb
 2c0812903bad56273e1c9aacfc3ce294 3580 oldlibs extra librack-ruby1.9.1_1.4.0-1_all.deb
 b713016611fca252002901ca287a564b 3574 oldlibs extra librack-ruby1.8_1.4.0-1_all.deb
 e31bab2d520043172fd40513219ad41f 3568 oldlibs extra librack-ruby_1.4.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8DeTgACgkQJBBhylAGQYEEtwCfUhftFA7dSwR/WDersJWm6WTH
JJAAn2t0yXVBe8S3mQ6oVStCDyVsRlh4
=wvPt
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#653963; Package ruby-rack. (Wed, 04 Jan 2012 10:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 04 Jan 2012 10:18:20 GMT) Full text and rfc822 format available.

Message #15 received at 653963@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 653963@bugs.debian.org
Subject: Re: Bug#653963 closed by Paul van Tilburg <paulvt@debian.org> (Bug#653963: fixed in ruby-rack 1.4.0-1)
Date: Wed, 4 Jan 2012 11:15:12 +0100
Hi Paul,

On Tue, January 3, 2012 23:12, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the ruby-rack package:
>
> #653963: ruby-rack predictable hash collisions
>
> It has been closed by Paul van Tilburg <paulvt@debian.org>.

Thanks. It's not obvious to me however how/that this release addresses the
problem. Can you elaborate?


thanks,
Thijs




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 11 Feb 2012 07:38:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 13:33:09 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.