Debian Bug report logs - #963477
ruby-rack: CVE-2020-8184

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ruby-rack: CVE-2020-8184

Date: Mon, 22 Jun 2020 09:02:13 +0200

Source: ruby-rack
Version: 2.1.1-5
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for ruby-rack.

CVE-2020-8184[0]:
| A reliance on cookies without validation/integrity check security
| vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it
| is possible for an attacker to forge a secure or host-only cookie
| prefix.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-8184
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8184

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 963477@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 963477@bugs.debian.org

Cc: Utkarsh Gupta <utkarsh@debian.org>

Subject: Re: Bug#963477: ruby-rack: CVE-2020-8184

Date: Fri, 1 Jan 2021 21:32:26 +0100

Control: severity -1 grave

Cc'ing Utkarsh as one of the last uploaders.

On Mon, Jun 22, 2020 at 09:02:13AM +0200, Salvatore Bonaccorso wrote:
> Source: ruby-rack
> Version: 2.1.1-5
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> The following vulnerability was published for ruby-rack.
> 
> CVE-2020-8184[0]:
> | A reliance on cookies without validation/integrity check security
> | vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it
> | is possible for an attacker to forge a secure or host-only cookie
> | prefix.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2020-8184
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8184
> 
> Please adjust the affected versions in the BTS as needed.

While strictly speaking this issue is no-dsa for buster, I'm raising
the severity to RC, would it be possible to address this issue for
unstable (and so bullseye) before the freeze?

Regards,
Salvatore

Message #19 received at 963477@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 963477@bugs.debian.org

Subject: Re: Bug#963477: ruby-rack: CVE-2020-8184

Date: Sat, 2 Jan 2021 17:45:04 +0530

Hello,

On Sat, Jan 2, 2021 at 2:02 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
> While strictly speaking this issue is no-dsa for buster, I'm raising
> the severity to RC, would it be possible to address this issue for
> unstable (and so bullseye) before the freeze?

Of course. Uploaded a fix! :)
(thanks for the explicit CC, please do it next time as well if you
want me to take care of something which falls under the Ruby team).


- u

Message #24 received at 963477@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Utkarsh Gupta <utkarsh@debian.org>, 963477@bugs.debian.org

Subject: Re: Bug#963477: ruby-rack: CVE-2020-8184

Date: Sat, 2 Jan 2021 13:25:07 +0100

Hi Utkarsh

On Sat, Jan 02, 2021 at 05:45:04PM +0530, Utkarsh Gupta wrote:
> Hello,
> 
> On Sat, Jan 2, 2021 at 2:02 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > While strictly speaking this issue is no-dsa for buster, I'm raising
> > the severity to RC, would it be possible to address this issue for
> > unstable (and so bullseye) before the freeze?
> 
> Of course. Uploaded a fix! :)
> (thanks for the explicit CC, please do it next time as well if you
> want me to take care of something which falls under the Ruby team).

Thanks! About the explicit CC, well actually I was a bit "vary",
because if it's team maintained one should not start explicitly ping
some of the uploaders. But I'm glad if this was possible. Indeed there
would be more ruby team maintained packages which are currently no-dsa
marked but maybe would be good to fix for and in bullseye. There are
issues for instance in ruby-faye and ruby-faye-websocket as well:
967061, 959392, 967063.

Possibly though we are not to late for those for bullseye.

Regards and thank you!
Salvatore

Message #29 received at 963477-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 963477-close@bugs.debian.org

Subject: Bug#963477: fixed in ruby-rack 2.1.1-6

Date: Sat, 02 Jan 2021 12:35:35 +0000

Source: ruby-rack
Source-Version: 2.1.1-6
Done: Utkarsh Gupta <utkarsh@debian.org>

We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 963477@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <utkarsh@debian.org> (supplier of updated ruby-rack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 02 Jan 2021 17:42:02 +0530
Source: ruby-rack
Architecture: source
Version: 2.1.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Closes: 963477
Changes:
 ruby-rack (2.1.1-6) unstable; urgency=medium
 .
   [ Cédric Boutillier ]
   * [ci skip] Update team name
   * [ci skip] Add .gitattributes to keep unwanted files out
     of the source package
 .
   [ Debian Janitor ]
   * Apply multi-arch hints. + ruby-rack: Add :all qualifier
     for ruby dependency.
 .
   [ Utkarsh Gupta ]
   * When parsing cookies, only decode the values.
     Patch utils to fix cookie parsing. (Fixes: CVE-2020-8184)
     (Closes: #963477)
Checksums-Sha1:
 a1c454e676861e3ad3f323350322e6c628c7cee2 2339 ruby-rack_2.1.1-6.dsc
 a39e6c071c48d17a866737fe8b893416fe0c796b 8552 ruby-rack_2.1.1-6.debian.tar.xz
 dec67962e869ef1f60916b9926c33812fdf1b344 9230 ruby-rack_2.1.1-6_amd64.buildinfo
Checksums-Sha256:
 21f457f42d29e57711ce4c610ff2d3a9bb38d6a3bf0aa0291f06215b1c0ff74a 2339 ruby-rack_2.1.1-6.dsc
 f8f579e682d7274151cbdd770d7e2a37e0ebf0fbb8440ceed511ca06eb3fd3d7 8552 ruby-rack_2.1.1-6.debian.tar.xz
 ec3dd7546f2e78bb62bd39cce93ef91d81275a485f05d85ba3906877be3fe291 9230 ruby-rack_2.1.1-6_amd64.buildinfo
Files:
 74367ee16e530170fe83b84aef6811b5 2339 ruby optional ruby-rack_2.1.1-6.dsc
 5fd265fffad28d9d91fe68c1dfd460ec 8552 ruby optional ruby-rack_2.1.1-6.debian.tar.xz
 ed4fd1ca83b006b025ba5a43d3aec1b6 9230 ruby optional ruby-rack_2.1.1-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl/wY68THHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLliUID/4l7DlP4R4rPwoGo4A3lA5lr21zd9jV
jHzOXOiyfRpBwd5NY5rMXv/SLyTH/AJPOVmh1+f+/Z0inSYYD1E4Nc7GLJcMcdJg
K2uEGhKWinny9Ng8hJGH0EuRgYUrbFeuplg1jRRUu/ANYwwxlWMMl2yl4MckiiPL
18Lhmza0DNwNcErO8GLQ3rWxWJwBMmYNkj7DuMJ6GAOf6SKw0XWHk+eqAXA/CCdV
58ZgRuercuPp6vuP6qcBY61lQzbjkHUer9hUC/UjrdwZcRPszSekIvGVMcuZ1MUg
QaNvwAJsr+s910Yldlc9HCX+K9BAFelorepStCjdlvEz2ATTseh6aWNm0eb8gkPO
bdWupARClTEDmM+v2fVrYIg0wg1+cEppOdN8XKuX+uB3aozsxEhOuf1JROsiU6OZ
Grrb4HBOYkZ28ZJDicHvvZ9NB7rbq1sHV3uS0QgxOBBa54B0+jx8ngcp8CcjJuwS
SDpZAMbAXePY3/kOiArs9vZbzyZfjIevbhGSH/6xoRxuYlcfxpOh1fxXvJlOzjO7
e3j3S+X5iBpdpaq29wFqfsLfAiNYzN+dYSM77hoWcKUR0czbkaA6LLVEXWc6JZzd
Rls6ISYX0+4Jw50qbxFplOfNzi7KRBhRcfB2/6+vqjgfXJWoO4CLtqCpsJ3kH5D2
3Uijw5FBNyKxsg==
=z+vK
-----END PGP SIGNATURE-----

Message #34 received at 963477@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 963477@bugs.debian.org

Subject: Re: Bug#963477: ruby-rack: CVE-2020-8184

Date: Sat, 2 Jan 2021 18:38:37 +0530

Hi Salvatore,

On Sat, Jan 2, 2021 at 5:55 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Of course. Uploaded a fix! :)
> > (thanks for the explicit CC, please do it next time as well if you
> > want me to take care of something which falls under the Ruby team).
>
> Thanks! About the explicit CC, well actually I was a bit "vary",
> because if it's team maintained one should not start explicitly ping
> some of the uploaders. But I'm glad if this was possible.

It's not a problem, I am happy to help the security team as much as I
possibly can (though you'd hopefully know that by now ;)).

> Indeed there would be more ruby team maintained packages which
> are currently no-dsa marked but maybe would be good to fix for
> and in bullseye. There are issues for instance in ruby-faye and
> ruby-faye-websocket as well: 967061, 959392, 967063.

Eeks, sorry for not noticing them earlier. But I've uploaded a fix for all
three of them^ :)

Let me know if there are more that needs immediate fixing or so! \o/


- u

Message #39 received at 963477@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Utkarsh Gupta <utkarsh@debian.org>

Cc: 963477@bugs.debian.org

Subject: Re: Bug#963477: ruby-rack: CVE-2020-8184

Date: Sat, 2 Jan 2021 21:04:40 +0100

Hi Utkarsh,

On Sat, Jan 02, 2021 at 06:38:37PM +0530, Utkarsh Gupta wrote:
> Hi Salvatore,
> 
> On Sat, Jan 2, 2021 at 5:55 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > > Of course. Uploaded a fix! :)
> > > (thanks for the explicit CC, please do it next time as well if you
> > > want me to take care of something which falls under the Ruby team).
> >
> > Thanks! About the explicit CC, well actually I was a bit "vary",
> > because if it's team maintained one should not start explicitly ping
> > some of the uploaders. But I'm glad if this was possible.
> 
> It's not a problem, I am happy to help the security team as much as I
> possibly can (though you'd hopefully know that by now ;)).

Yes :)

> 
> > Indeed there would be more ruby team maintained packages which
> > are currently no-dsa marked but maybe would be good to fix for
> > and in bullseye. There are issues for instance in ruby-faye and
> > ruby-faye-websocket as well: 967061, 959392, 967063.
> 
> Eeks, sorry for not noticing them earlier. But I've uploaded a fix for all
> three of them^ :)
> 
> Let me know if there are more that needs immediate fixing or so! \o/

Not any right now. Well there is CVE-2020-26247 but that one might be
too risky at this stage (AFAIU it is a breaking change, and thus ws
moved to the 1.11.x version).

Regards,
Salvatore

Message #44 received at 963477@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 963477@bugs.debian.org

Subject: Re: Bug#963477: ruby-rack: CVE-2020-8184

Date: Sat, 16 Jan 2021 16:00:54 +0530

Hi Salvatore,

On Sun, Jan 3, 2021 at 1:34 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
> Not any right now. Well there is CVE-2020-26247 but that one might be
> too risky at this stage (AFAIU it is a breaking change, and thus ws
> moved to the 1.11.x version).

Lucas uploaded a new version, thereby fixing this as well. So yay! \o/


- u

Send a report that this bug log contains spam.