Debian Bug report logs - #698440
ruby-rack: CVE-2012-6109 CVE-2013-0184 CVE-2013-0183

version graph

Package: ruby-rack; Maintainer for ruby-rack is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for ruby-rack is src:ruby-rack.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Fri, 18 Jan 2013 15:00:02 UTC

Severity: grave

Tags: security

Fixed in version ruby-rack/1.4.1-2.1

Done: KURASHIKI Satoru <lurdan@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack. (Fri, 18 Jan 2013 15:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Fri, 18 Jan 2013 15:00:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby-rack: CVE-2012-6109 CVE-2013-0184 CVE-2013-0183
Date: Fri, 18 Jan 2013 15:55:23 +0100
Package: ruby-rack
Severity: grave
Tags: security
Justification: user security hole

Please see these links for details:
http://seclists.org/oss-sec/2013/q1/80
http://seclists.org/oss-sec/2013/q1/83

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack. (Sat, 19 Jan 2013 21:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Youhei SASAKI <uwabami@gfd-dennou.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sat, 19 Jan 2013 21:21:04 GMT) Full text and rfc822 format available.

Message #10 received at 698440@bugs.debian.org (full text, mbox):

From: Youhei SASAKI <uwabami@gfd-dennou.org>
To: pkg-ruby-extras-maintainers@lists.alioth.debian.org
Cc: 698440@bugs.debian.org, security@debian.org
Subject: Re: [DRE-maint] Bug#698440: ruby-rack: CVE-2012-6109 CVE-2013-0184 CVE-2013-0183
Date: Sun, 20 Jan 2013 06:13:24 +0900
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear team member:
(Cc: BTS, security team)

I created cherry-picked patches from upstream, in order to fix these CVE
issues and commit team git repository. Please review for upload.

  Vcs-Git: git://git.debian.org/pkg-ruby-extras/ruby-rack.git
  Vcs-Browser: http://git.debian.org/?p=pkg-ruby-extras/ruby-rack.git;a=summary

BTW, I don't know these issues affect stable packages,
librack-ruby{,1.8,1.9.1}, ver. 1.1.0-4. 

# We have dropped them from SVN repos. Thus we should import them into
# team Git repos.

P.S. Thanks Moritz!

At 18 Jan 2013 15:55:23 +0100,
"Moritz Muehlenhoff" <jmm@inutil.org> wrote:
>
> Package: ruby-rack
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see these links for details:
> http://seclists.org/oss-sec/2013/q1/80
> http://seclists.org/oss-sec/2013/q1/83
>

Best Wishes,
- ---
Youhei SASAKI <uwabami@gfd-dennou.org>
              <uwabami@debian.or.jp>
GPG fingerprint:
  4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQ+wxnAAoJEJOU81SJHX4HrewP/3goc7fyxCGG4o8ZoECNjV7Z
zCKE/ya6aRVqvcFEBbSrvo/nh+QZdmMbLb2mu68PV8iEdsa7zYuxH+uGMv5brckN
ST4dOAyUIfAvTBfusgsIDZaJWkOI/5w5t6Cv3hEr5wbBikvkyee40xCrkDklYoU3
Y0/rSsjoIf5CUQwZ9XrSVbf5Z/Jy1RY9mXCJOygQXRwztYPbO8hawO2sv73MQM4W
stTViWues7IgnjAEDPrtYOU3d35bx0MgDwfxcqXr9nDIz6TsnCX34FNiWl9Zw4Lc
6sJhUVKpCImTTwaHSRtvg/HWH75L+qLh6W8isscyh2qR3ZfFRmMgjPcm9Y/X56LI
0KPUuwuQQkOi6dgyY8jR6fk03Bwh1KpnJWfwUvPYHQX9IF5iRJbsfKuyqrqs2HQC
Sv5xrp0eedoxs7Jh9hq4MMAwioM6r3/KtYUB0gyc4/6GxiPnLwGJtH3jcphCjju6
BFyNRVsBc9oS/sH4Npor7Urr7KsMo8SeSmoJLPbqVwPVfbDLgL2LFOr5d3RLXqlU
efJ2XxtIRqPMkzWoBZlWdKoxp3eQ08AMSeRhgJR+7ZG0+j7biSuM2nhRtF1AhVDp
rq3mUzfBQi7MEw4cSFoGHIZVXj5SIX8Mlhou1si5OAww8qbPPx36HvNbxBDXoD4l
EHLfuZ4hvyyg+0DVwtJi
=u1mW
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack. (Mon, 21 Jan 2013 23:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Mon, 21 Jan 2013 23:39:03 GMT) Full text and rfc822 format available.

Message #15 received at 698440@bugs.debian.org (full text, mbox):

From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
To: Youhei SASAKI <uwabami@gfd-dennou.org>
Cc: pkg-ruby-extras-maintainers@lists.alioth.debian.org, security@debian.org, 698440@bugs.debian.org
Subject: Re: [DRE-maint] Bug#698440: ruby-rack: CVE-2012-6109 CVE-2013-0184 CVE-2013-0183
Date: Tue, 22 Jan 2013 08:36:22 +0900
Hi,

On Sun, Jan 20, 2013 at 6:13 AM, Youhei SASAKI <uwabami@gfd-dennou.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Dear team member:
> (Cc: BTS, security team)
>
> I created cherry-picked patches from upstream, in order to fix these CVE
> issues and commit team git repository. Please review for upload.

Looks good to me.

>
>   Vcs-Git: git://git.debian.org/pkg-ruby-extras/ruby-rack.git
>   Vcs-Browser: http://git.debian.org/?p=pkg-ruby-extras/ruby-rack.git;a=summary
>
> BTW, I don't know these issues affect stable packages,
> librack-ruby{,1.8,1.9.1}, ver. 1.1.0-4.

I seem to need 0003-Reimplement-auth-scheme-fix.patch.
Please consult about this  to security team.

>
> # We have dropped them from SVN repos. Thus we should import them into
> # team Git repos.
>
> P.S. Thanks Moritz!
>
> At 18 Jan 2013 15:55:23 +0100,
> "Moritz Muehlenhoff" <jmm@inutil.org> wrote:
>>
>> Package: ruby-rack
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Please see these links for details:
>> http://seclists.org/oss-sec/2013/q1/80
>> http://seclists.org/oss-sec/2013/q1/83
>>
>
> Best Wishes,
> - ---
> Youhei SASAKI <uwabami@gfd-dennou.org>
>               <uwabami@debian.or.jp>
> GPG fingerprint:
>   4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQIcBAEBCgAGBQJQ+wxnAAoJEJOU81SJHX4HrewP/3goc7fyxCGG4o8ZoECNjV7Z
> zCKE/ya6aRVqvcFEBbSrvo/nh+QZdmMbLb2mu68PV8iEdsa7zYuxH+uGMv5brckN
> ST4dOAyUIfAvTBfusgsIDZaJWkOI/5w5t6Cv3hEr5wbBikvkyee40xCrkDklYoU3
> Y0/rSsjoIf5CUQwZ9XrSVbf5Z/Jy1RY9mXCJOygQXRwztYPbO8hawO2sv73MQM4W
> stTViWues7IgnjAEDPrtYOU3d35bx0MgDwfxcqXr9nDIz6TsnCX34FNiWl9Zw4Lc
> 6sJhUVKpCImTTwaHSRtvg/HWH75L+qLh6W8isscyh2qR3ZfFRmMgjPcm9Y/X56LI
> 0KPUuwuQQkOi6dgyY8jR6fk03Bwh1KpnJWfwUvPYHQX9IF5iRJbsfKuyqrqs2HQC
> Sv5xrp0eedoxs7Jh9hq4MMAwioM6r3/KtYUB0gyc4/6GxiPnLwGJtH3jcphCjju6
> BFyNRVsBc9oS/sH4Npor7Urr7KsMo8SeSmoJLPbqVwPVfbDLgL2LFOr5d3RLXqlU
> efJ2XxtIRqPMkzWoBZlWdKoxp3eQ08AMSeRhgJR+7ZG0+j7biSuM2nhRtF1AhVDp
> rq3mUzfBQi7MEw4cSFoGHIZVXj5SIX8Mlhou1si5OAww8qbPPx36HvNbxBDXoD4l
> EHLfuZ4hvyyg+0DVwtJi
> =u1mW
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Pkg-ruby-extras-maintainers mailing list
> Pkg-ruby-extras-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

Best regards,
  Nobuhiro

-- 
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack. (Sat, 26 Jan 2013 16:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Youhei SASAKI <uwabami@gfd-dennou.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sat, 26 Jan 2013 16:03:03 GMT) Full text and rfc822 format available.

Message #20 received at 698440@bugs.debian.org (full text, mbox):

From: Youhei SASAKI <uwabami@gfd-dennou.org>
To: "Nobuhiro Iwamatsu" <iwamatsu@nigauri.org>
Cc: "debian-ruby" <debian-ruby@lists.debian.org>, security@debian.org, 698440@bugs.debian.org
Subject: Re: [DRE-maint] Bug#698440: ruby-rack: CVE-2012-6109 CVE-2013-0184 CVE-2013-0183
Date: Sun, 27 Jan 2013 01:01:49 +0900
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi, 

At 22 Jan 2013 08:36:22 +0900,
"Nobuhiro Iwamatsu" <iwamatsu@nigauri.org> wrote:
> 
> Looks good to me.

Thank you for your review. I'll upload it.

> > BTW, I don't know these issues affect stable packages,
> > librack-ruby{,1.8,1.9.1}, ver. 1.1.0-4.
> 
> I seem to need 0003-Reimplement-auth-scheme-fix.patch.
> Please consult about this  to security team.

Ok.

Best Wishes,
Youhei

- ---
Youhei SASAKI <uwabami@gfd-dennou.org>
              <uwabami@debian.or.jp>
GPG fingerprint:
  4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRA/3rAAoJEJOU81SJHX4H1eAP/i5PXQptLxUI/zHxep9s0vPc
Q3bFOS3dA+52q/kjHwOBEagP0/L3Z11+nn84bqgH4TxnQrCB1dOgb3rWNMy8fNPT
osP3YWpDEmmzdBfcqMGHd7N/L43TxKypUfKKSZZo8FY7xxdeAN9yjkEV0M/DUm2l
TA4HK9j2ozDxCDTEvY9PtZyKyAGBpEBL+1J6SGDxDpyQe0isQLlU5c/t80sxhneK
QJ9XYNlbz8afNqaFwvQ6A3c/LvMpvuw8DsvqarWIpzxF0BlY55EwCikMuA9KkFfw
JhS9BbquJWea/tPT2iiT2KiQIfuDjy9Grn69eVwUKf8jrSH9b6GwWthZp8drmYXW
/ay+skFkhohtKnT0tI2zRRlSgBtGevgmEzNS+6g7rGYw6iMszLKuN8Xn0FYjm5Hl
Oi/lM/wNaSc1s/+aA2GwS6nUAwdfjC9r6TTsPVdpbdKAxcwYDdsatZYKEdGWw7TW
6WR+DgblbDF3J5FgFcWW21HZan/t2MAX0Bs35ljsi00fu/Khkf4W5RVVd3tl+Bsd
wSNblF4+kZL3vG4ixcA0BbWyc70z8AqN8HZfAXhidJoMg7gKy3dRHCm/oEWGrFHb
OQ2NgZuEBP9MIjQyQxvyoEuuh85yWWdxcm1J/YmN+quqIuaZ2uEqCP1TnyQLJ8B5
9JxXmtC7ixyT3VxOGAZI
=YP9S
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack. (Mon, 11 Feb 2013 04:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Satoru KURASHIKI <lurdan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Mon, 11 Feb 2013 04:39:03 GMT) Full text and rfc822 format available.

Message #25 received at 698440@bugs.debian.org (full text, mbox):

From: Satoru KURASHIKI <lurdan@gmail.com>
To: team@security.debian.org
Cc: 698440@bugs.debian.org, pkg-ruby-extras-maintainers@lists.alioth.debian.org
Subject: Re: ruby-rack: CVE-2012-6109 CVE-2013-0184 CVE-2013-0183
Date: Mon, 11 Feb 2013 13:34:21 +0900
hi,
(CC: pkg-ruby-extras-maintainers)

> > > BTW, I don't know these issues affect stable packages,
> > > librack-ruby{,1.8,1.9.1}, ver. 1.1.0-4.
> >
> > I seem to need 0003-Reimplement-auth-scheme-fix.patch.
> > Please consult about this  to security team.
>
> Ok.

I prepared a patch for stable version (with acknowledgement of the maintainer).
Please audit it, after that I will prepare NMU for this (with #70026).

prepared patch as follows:
--- a/lib/rack.rb       2013-02-11 02:31:24.375449225 +0000
+++ b/lib/rack.rb       2013-02-11 02:33:48.735596653 +0000
@@ -71,6 +71,18 @@ module Rack
       autoload :Params, "rack/auth/digest/params"
       autoload :Request, "rack/auth/digest/request"
     end
+
+    # Not all of the following schemes are "standards", but they are
used often.
+    @schemes = %w[basic digest bearer mac token oauth oauth2]
+
+    def self.add_scheme scheme
+      @schemes << scheme
+      @schemes.uniq!
+    end
+
+    def self.schemes
+      @schemes.dup
+    end
   end

   module Session
--- a/lib/rack/auth/abstract/request.rb 2013-02-11 02:36:39.864688680 +0000
+++ b/lib/rack/auth/abstract/request.rb 2013-02-11 02:39:02.948692080 +0000
@@ -15,7 +15,11 @@
       end

       def scheme
-        @scheme ||= parts.first.downcase.to_sym
+        @scheme ||=
+          begin
+            s = parts.first.downcase
+            Rack::Auth.schemes.include?(s) ? s.to_sym : s
+          end
       end

       def params
--- /dev/null   1970-01-01 00:00:00.000000000 +0000
+++ b/test/spec_auth.rb 2013-02-11 02:28:44.635615432 +0000
@@ -0,0 +1,57 @@
+require 'rack'
+
+describe Rack::Auth do
+  it "should have all common authentication schemes" do
+    Rack::Auth.schemes.should.include? 'basic'
+    Rack::Auth.schemes.should.include? 'digest'
+    Rack::Auth.schemes.should.include? 'bearer'
+    Rack::Auth.schemes.should.include? 'token'
+  end
+
+  it "should allow registration of new auth schemes" do
+    Rack::Auth.schemes.should.not.include "test"
+    Rack::Auth.add_scheme "test"
+    Rack::Auth.schemes.should.include "test"
+  end
+end
+
+describe Rack::Auth::AbstractRequest do
+  it "should symbolize known auth schemes" do
+    env = Rack::MockRequest.env_for('/')
+    env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :basic
+
+
+    env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :digest
+
+    env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :bearer
+
+    env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :mac
+
+    env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :token
+
+    env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :oauth
+
+    env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :oauth2
+  end
+
+  it "should not symbolize unknown auth schemes" do
+    env = Rack::MockRequest.env_for('/')
+    env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == "magic"
+  end
+end

regards,
-- 
KURASHIKI Satoru



Reply sent to KURASHIKI Satoru <lurdan@gmail.com>:
You have taken responsibility. (Wed, 27 Feb 2013 08:51:12 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Wed, 27 Feb 2013 08:51:12 GMT) Full text and rfc822 format available.

Message #30 received at 698440-close@bugs.debian.org (full text, mbox):

From: KURASHIKI Satoru <lurdan@gmail.com>
To: 698440-close@bugs.debian.org
Subject: Bug#698440: fixed in ruby-rack 1.4.1-2.1
Date: Wed, 27 Feb 2013 08:47:31 +0000
Source: ruby-rack
Source-Version: 1.4.1-2.1

We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 698440@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
KURASHIKI Satoru <lurdan@gmail.com> (supplier of updated ruby-rack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 20 Feb 2013 20:56:31 +0900
Source: ruby-rack
Binary: ruby-rack librack-ruby1.9.1 librack-ruby1.8 librack-ruby
Architecture: source all
Version: 1.4.1-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: KURASHIKI Satoru <lurdan@gmail.com>
Description: 
 librack-ruby - Transitional package for ruby-rack
 librack-ruby1.8 - Transitional package for ruby-rack
 librack-ruby1.9.1 - Transitional package for ruby-rack
 ruby-rack  - Modular Ruby webserver interface
Closes: 698440 700173
Changes: 
 ruby-rack (1.4.1-2.1) unstable; urgency=high
 .
   [ KURASHIKI Satoru ]
   * Non-maintainer upload.
   * Create cherry-picked patches for Security Fix (Closes: #700173 #700226).
     - CVE-2013-0262: 0004-Prevent-symlink-path-traversals.patch
     - CVE-2013-0263: 0005-Use-secure_compare-for-hmac-comparison.patch
 .
   [ Youhei SASAKI ]
   * Create cherry-picked patches for Security Fix (Closes: #698440).
     - CVE-2012-6109: 0001-Fix-parsing-performance-for-unquoted-filenames.patch
     - CVE-2013-0183: 0002-multipart-parser-avoid-unbounded-gets-method.patch
     - CVE-2013-0184: 0003-Reimplement-auth-scheme-fix.patch
Checksums-Sha1: 
 9a3d309ba4a5e28c4704bdfe4b9ef3f0c59683ac 2296 ruby-rack_1.4.1-2.1.dsc
 6af3e111e057eb2bce94f84c0a1ba178f2554a46 10188 ruby-rack_1.4.1-2.1.debian.tar.gz
 792c22ac4c9749809bd6ef9898ae067c50e78081 82104 ruby-rack_1.4.1-2.1_all.deb
 0dd02e0fff3e0272c99fc54d9e71f6a7289e08f5 4062 librack-ruby1.9.1_1.4.1-2.1_all.deb
 e4db038dfa727071b9164bde1683271a2af9d685 4062 librack-ruby1.8_1.4.1-2.1_all.deb
 4551ba38658cd22f2ea6477e6ebe48c19445a9c8 4054 librack-ruby_1.4.1-2.1_all.deb
Checksums-Sha256: 
 5a862fc25cd10be8e1a6a995e9b3026b8b4c179f96f71fb0d82685adc0fd1d27 2296 ruby-rack_1.4.1-2.1.dsc
 bde86e2666452bab7366eb9795975d51c559bc53791fefedbcfd53c55777d4cd 10188 ruby-rack_1.4.1-2.1.debian.tar.gz
 cea57d69381165645821e448805bab849116debc7ebd4d311dcb29ca8218995c 82104 ruby-rack_1.4.1-2.1_all.deb
 93c466d51d6a045a178e7a943ee7a1a2911b315bb9a152e3d64cdf0a4a738521 4062 librack-ruby1.9.1_1.4.1-2.1_all.deb
 68634886631f95701cac203a844d66778504dbf487fba894b44132dc09e395e4 4062 librack-ruby1.8_1.4.1-2.1_all.deb
 8ba9cbc2c956f13cd0ddb990bc730d674fa6c011415e081601c91e046c06d6a9 4054 librack-ruby_1.4.1-2.1_all.deb
Files: 
 5a8aec59ccabd8a6c1a46e48dc809a95 2296 ruby optional ruby-rack_1.4.1-2.1.dsc
 0504150d496de77471904eb97f398dec 10188 ruby optional ruby-rack_1.4.1-2.1.debian.tar.gz
 e51a35b0965eefc77a76a99e757cafab 82104 ruby optional ruby-rack_1.4.1-2.1_all.deb
 c1ed80cb81d4860df8f25ef4ef5fbcbd 4062 oldlibs extra librack-ruby1.9.1_1.4.1-2.1_all.deb
 5c2f366fb42573ecd4c5da8aede17c02 4062 oldlibs extra librack-ruby1.8_1.4.1-2.1_all.deb
 e926fa8545dad99397b6a90ac96d4f60 4054 oldlibs extra librack-ruby_1.4.1-2.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRLb3wAAoJEDIkf7tArR+mlmQP/35GAzLhoWXOzzxIL5qO/XRq
vUSLSq2Qm9+OBED3hpzxTLsGRwjwsSPov9Scefn5g/qy6c9xEAbfXqBSwo7zzvfv
sH6DeCPcBuRNxO7Ynx+zrnGDmOmWmIJBKWvsPsAIp6KF7eWfgxKmiWhjce0OETgw
YNbgfDrskargQIwWq8u4TPv0A2oS7dE3sQbxKP6Ecp3PP+mQOl9oziu99b8iaU1a
4LlTohjMaB8MjgXKm6exuBpb+GDUvt8q/W9S3d9a9qQf0DyDX3yZwPuZhjirdw2a
yhFtr+h73HTGybhGmslFjGoAdKdu0Sj+6XaFM3/bEjPvIIa/H3VGzU61D2msrFnN
YuVq2Ta2HTVIjuD8h/AGMKUXB3Q9qz0O8sYOx1T9HgkehewlVGc4h7CJjaooc609
7iN7B6grHf5U6MAXL5708jqNQNSa1uTL9WJM7SPvAxBPmtPnnrdnofigNqCx3niG
k5Gze8H2QrHGle3Ri25nQcA4PNPJug5d+Q/P5ZnT1KWFgDY6AKYr0cyWYCavQrUL
vRdPZnMi3w8fGL2ILEwy/kQmqo7gEoHtIwMg7SQDrgA0+2uoShxkvLL1FUVuujWA
n1A0SLi0eDaTI0M+gQ7iwcJXWfHsY64xFEGUHcvMGfPft/atBbblyEDrvkUopM2C
Nc6RYYRb8+Qrn/lJO4yE
=gjB6
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#698440; Package ruby-rack. (Thu, 07 Mar 2013 11:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Satoru KURASHIKI <lurdan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Thu, 07 Mar 2013 11:21:03 GMT) Full text and rfc822 format available.

Message #35 received at 698440@bugs.debian.org (full text, mbox):

From: Satoru KURASHIKI <lurdan@gmail.com>
To: team@security.debian.org
Cc: 700226@bugs.debian.org, 698440@bugs.debian.org, pkg-ruby-extras-maintainers@lists.alioth.debian.org
Subject: Re: Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Date: Thu, 7 Mar 2013 20:17:52 +0900
[Message part 1 (text/plain, inline)]
dear security team,

On Mon, Feb 11, 2013 at 1:24 PM, Satoru KURASHIKI <lurdan@gmail.com> wrote:
> I've contacted Youhei SASAKI (maintainer of ruby-rack, successor of
> librack-ruby),
> and acknowledged about preparing NMU for this bug.
>
> Please audit this patch, after that I will prepare NMU for squeeze.
> (and after that t-p-u, unstable, ...)

I've created a NMU debdiff for stable, which includes these fixes:
#698440 (CVE-2013-0184)
#700226 (CVE-2013-0263)

These are already applied in unstable/testing.

Please consider to update stable version of librack-ruby with
attached debdiff to close those CVE issues.

regards,
-- 
KURASHIKI Satoru
[librack-ruby_s-p-u.debdiff (application/octet-stream, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 05 Apr 2013 07:27:30 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 08:17:14 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.