Debian Bug report logs - #944849
ruby-rack-cors: CVE-2019-18978

version graph

Package: src:ruby-rack-cors; Maintainer for src:ruby-rack-cors is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 16 Nov 2019 10:24:02 UTC

Severity: grave

Tags: security, upstream

Found in version ruby-rack-cors/1.0.2-1

Fixed in versions ruby-rack-cors/1.1.1-1, ruby-rack-cors/1.0.2-1+deb10u1

Done: Utkarsh Gupta <utkarsh@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#944849; Package src:ruby-rack-cors. (Sat, 16 Nov 2019 10:24:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sat, 16 Nov 2019 10:24:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby-rack-cors: CVE-2019-18978
Date: Sat, 16 Nov 2019 11:22:32 +0100
Source: ruby-rack-cors
Version: 1.0.2-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerability was published for ruby-rack-cors.

CVE-2019-18978[0]:
| An issue was discovered in the rack-cors (aka Rack CORS Middleware)
| gem before 1.0.4 for Ruby. It allows ../ directory traversal to access
| private resources because resource matching does not ensure that
| pathnames are in a canonical format.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-18978
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18978
[1] https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Pirate Praveen <praveen@debian.org>:
You have taken responsibility. (Sat, 15 Feb 2020 12:39:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 15 Feb 2020 12:39:05 GMT) (full text, mbox, link).

Message #10 received at 944849-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 944849-close@bugs.debian.org
Subject: Bug#944849: fixed in ruby-rack-cors 1.1.1-1
Date: Sat, 15 Feb 2020 12:34:27 +0000
Source: ruby-rack-cors
Source-Version: 1.1.1-1
Done: Pirate Praveen <praveen@debian.org>

We believe that the bug you reported is fixed in the latest version of
ruby-rack-cors, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 944849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated ruby-rack-cors package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 15 Feb 2020 13:03:39 +0100
Source: ruby-rack-cors
Architecture: source
Version: 1.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Closes: 944849
Changes:
 ruby-rack-cors (1.1.1-1) unstable; urgency=medium
 .
   [ Utkarsh Gupta ]
   * Add salsa-ci.yml
 .
   [ Pirate Praveen ]
   * New upstream version 1.1.1 (Closes: #944849) (Fixes: CVE-2019-18978)
   * Bump Standards-Version to 4.5.0 (no changes needed)
   * Drop compat file, rely on debhelper-compat and bump compat level to 12
Checksums-Sha1:
 2635f8a931bc7908a2bfb5651c95da33b8cf6848 2088 ruby-rack-cors_1.1.1-1.dsc
 e82014fcd24e82f6661ab3d641987659e12b2be2 49925 ruby-rack-cors_1.1.1.orig.tar.gz
 268101d20048298f9e74470482ab86e42c47e5c1 2820 ruby-rack-cors_1.1.1-1.debian.tar.xz
 4f308b91f0d68346b8370745c9d0eaa34c169e24 13637 ruby-rack-cors_1.1.1-1_source.buildinfo
Checksums-Sha256:
 2180a83dcb3dff289677ca0964c7762f59392d81209f59322802cefde616bfe1 2088 ruby-rack-cors_1.1.1-1.dsc
 1f96f5fbc5ad25e3a007aa62fadcd148e5cd2322c0e306a5afe82a05d9a3b602 49925 ruby-rack-cors_1.1.1.orig.tar.gz
 38cdc74294bbdba87ba012c5c0f458bdef950237af30ec100bdb118c455c8be6 2820 ruby-rack-cors_1.1.1-1.debian.tar.xz
 00320fcacf4d6ed90b9f9ef2fdd82e4208539cafacca146ec456d12a5687e063 13637 ruby-rack-cors_1.1.1-1_source.buildinfo
Files:
 e73dd23a0a24de840308f617c75865b5 2088 ruby optional ruby-rack-cors_1.1.1-1.dsc
 c220a88dce97e78b9523d0709df422ae 49925 ruby optional ruby-rack-cors_1.1.1.orig.tar.gz
 1927f1f36d65742deaad1e44f1b2278c 2820 ruby optional ruby-rack-cors_1.1.1-1.debian.tar.xz
 73dc961d8e8a54ad42e15cd468ac0a37 13637 ruby optional ruby-rack-cors_1.1.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAl5H4CgACgkQj1PgGTsp
S3WyEg//W8gkUYiiPsreU1bbq7r5XvpUTv3rNjtNbElKrJEn2APqN0UBncVSbcSN
AEbIZuKRDgfoK7JW3HsNj9w2uy/gRjy6oGB3ELcDnwI1liQdkhOkn3K9NPRZSMhw
XdWbI5SCVdHSyxdP+wxTIiJp7BFeybgIEThFRxsr13AvLdrjjhlWY7r69Ibo+fa4
yezdfv0vTbK3x8OkMOW9jeMFb6ouGTLTCu6sgiQziolV/ILdYR0Cc3wYTCxn4W2g
OfEW2dgfQcvZ05banxLt07kPYf9s0x0XW+Lfr7A7eQkNbQkytj9ysMgGUUGIzHJE
At6aNsvwsxmLFmot+egq0X+zyAL30EWj0p3NIXe/O5XYzGmtQWaFItu8U5pNpqSS
Z0vIMIItGD7u2ch3khwK12ogSjD+FgXoWLU6hGvM9omGNdvZnnPrLSnsK021lbso
JeBiZhiIfjmBxp6MBcp9bKQSB51Imnp+qAtE/nljIgQLXuSgaA7wG+/mKtCQD5wh
8c0RWL8Z0u/HSESGsx5fFGPiYSjE30HMzVgQe9jIFfg24+ULnGdoph3m3DXlv/tT
uDzU6yFKHRLZECkwGk/++d5rz8ze1U4xnSC6y7l1ufW25BdLldQ5GaPe/a6kQbOm
0lN7vLdlkRChWMnqFyx4rfuOV9bFacO5bh5nRKu4C7Bqdb5M30A=
=7A4y
-----END PGP SIGNATURE-----

Reply sent to Utkarsh Gupta <utkarsh@debian.org>:
You have taken responsibility. (Wed, 19 May 2021 15:33:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 19 May 2021 15:33:03 GMT) (full text, mbox, link).

Message #15 received at 944849-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 944849-close@bugs.debian.org
Subject: Bug#944849: fixed in ruby-rack-cors 1.0.2-1+deb10u1
Date: Wed, 19 May 2021 15:32:11 +0000
Source: ruby-rack-cors
Source-Version: 1.0.2-1+deb10u1
Done: Utkarsh Gupta <utkarsh@debian.org>

We believe that the bug you reported is fixed in the latest version of
ruby-rack-cors, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 944849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <utkarsh@debian.org> (supplier of updated ruby-rack-cors package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 13 May 2021 15:24:15 +0530
Source: ruby-rack-cors
Binary: ruby-rack-cors
Architecture: source all
Version: 1.0.2-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Description:
 ruby-rack-cors - enable Cross-Origin Resource Sharing in Rack apps
Closes: 944849
Changes:
 ruby-rack-cors (1.0.2-1+deb10u1) buster-security; urgency=high
 .
   * Unescape and resolve paths before resource checks.
     (Fixes: CVE-2019-18978) (Closes: #944849)
Checksums-Sha1:
 bb7aec89d0af8cdb687767dba955808bdbe5f4e0 2144 ruby-rack-cors_1.0.2-1+deb10u1.dsc
 f525680c94392d5f223e2b0ca2f971b4cffa2ced 49170 ruby-rack-cors_1.0.2.orig.tar.gz
 0604aa1ea8f6a224fdc36ce3aaf8349ad708ec80 4192 ruby-rack-cors_1.0.2-1+deb10u1.debian.tar.xz
 214a5eedb52d34d5292499c4cf3e42e1a4ff5aeb 11036 ruby-rack-cors_1.0.2-1+deb10u1_all.deb
 c8d8046bb6ce33e282e67051c00ff5a153b8f299 9494 ruby-rack-cors_1.0.2-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
 0d79bce9231a1decb488e4c2ad08cabbd5e5b60cfbd1e0fa5d4b211a70c14869 2144 ruby-rack-cors_1.0.2-1+deb10u1.dsc
 d035fe0d41f28f8955c826b20fc25b967688681ac0a6820030626dc55198cd8a 49170 ruby-rack-cors_1.0.2.orig.tar.gz
 4f95b6d6a2e31708aadf33dea212ec16b69d570b6f951754c8c2207eaee566a6 4192 ruby-rack-cors_1.0.2-1+deb10u1.debian.tar.xz
 cfa785adde4250649ad298c899cfd69ca88e926118acf843c14e111055ca206b 11036 ruby-rack-cors_1.0.2-1+deb10u1_all.deb
 28e27c4ad38a15d2292f1af53117e0835c098c2682d8d10e8faa4d320ff17168 9494 ruby-rack-cors_1.0.2-1+deb10u1_amd64.buildinfo
Files:
 07837358966a7dc2078153a75ce9db10 2144 ruby optional ruby-rack-cors_1.0.2-1+deb10u1.dsc
 20cb389d338c21e44e886b29e600ff40 49170 ruby optional ruby-rack-cors_1.0.2.orig.tar.gz
 6257663b225918c91990bffba3d522a8 4192 ruby optional ruby-rack-cors_1.0.2-1+deb10u1.debian.tar.xz
 bef2ba6bdb33efb79ecb16f8e9875447 11036 ruby optional ruby-rack-cors_1.0.2-1+deb10u1_all.deb
 6ba8182ddbc7e9b8800077581a6894bc 9494 ruby optional ruby-rack-cors_1.0.2-1+deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmCc+RkTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlmG7EADBK2rw9No3UyFaFu8XPjO9riYvBujr
CxPbnF5K5lL9AtgFNLB0d/qiXdkxrCCpTA+Dyk0nQXTL9uOwdq08f5SErmJz9kot
vxECP8TlSCNMvlAwqQzYdRnsz7R8ejGjs+JkIN3HlP+ZowNqtRCN+uaVLh3Bff07
xoeoVZ4AdKcPUpjmeGzLJhuvniknZxPKfX0DfwZUJAvAxI1VTZ0neSiFwc7Sc3QI
BTuj+cTNebZR1i6qh3tJO5RtupXN4HLwl4TJ/LLl2jRvxqitDVAu2oNd0/O9axtB
PvzFJE1GnEIFfN1Owu2cFs9jQ/nKrOS40I0X71thZWLQdwsozSqdLMzLZNKLtgl0
Uu5TZxvFqheiup6Kw5axGri/czM5o/IgjrMwaOP3/QQqnw710skCa3Je8ttO7vC3
tAvxPqxW6AfDfq4AA9YD1cTXlvRcytF2k78Qy5W62SDDh89IxOlmX1KWB+UtcD6X
Qeh9TZ5K/uwebPzhQVe1FHGbZR7A3U4hu/D6FlrAfRUGpO1HuPX15z0B+otx4e2M
/zBDJNALnNlVEzBu8jTSHpIJfcq9INGQstcZcaTpkx4GZ7yedxF4Gah5GYhABcct
MKi0JnjVtw20+EY+bN3xf1WdmvD1rELpTpORueJk1sT7fti2D/z1aU44GV8oSWz2
t0WLBu6bg/eMBA==
=k1hT
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 20 Jun 2021 07:26:10 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Oct 8 03:06:40 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.