Debian Bug report logs -
#986807
CVE-2021-28965
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 12 Apr 2021 10:09:04 UTC
Severity: important
Tags: security, upstream
Found in version ruby2.7/2.7.2-3
Fixed in version ruby2.7/2.7.3-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#986807; Package ruby2.7.
(Mon, 12 Apr 2021 10:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Mon, 12 Apr 2021 10:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ruby2.7
Version: 2.7.2-3
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 12 Apr 2021 11:48:07 GMT) (full text, mbox, link).
Reply sent
to Utkarsh Gupta <utkarsh@debian.org>:
You have taken responsibility.
(Sat, 17 Apr 2021 16:12:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 17 Apr 2021 16:12:03 GMT) (full text, mbox, link).
Message #12 received at 986807-done@bugs.debian.org (full text, mbox, reply):
Hello,
On Mon, 12 Apr 2021 12:06:13 +0200 Moritz Muehlenhoff <jmm@debian.org> wrote:
> https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
Fixed via 2.7.3-1 upload to unstable. Marked the same in the tracker.
Hope that helps.
- u
Marked as fixed in versions ruby2.7/2.7.3-1.
Request was from Utkarsh Gupta <utkarsh@debian.org>
to control@bugs.debian.org.
(Sat, 17 Apr 2021 16:27:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 17 Apr 2021 16:57:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 17 Apr 2021 16:57:04 GMT) (full text, mbox, link).
Message #19 received at 986807-done@bugs.debian.org (full text, mbox, reply):
Source: ruby2.7
Source-Version: 2.7.3-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 17 Apr 2021 20:12:52 +0530
Source: ruby2.7
Architecture: source
Version: 2.7.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Changes:
ruby2.7 (2.7.3-1) unstable; urgency=medium
.
[ Chris Hofstaedtler ]
* Remove myself from Uploaders
.
[ Utkarsh Gupta ]
* New upstream version 2.7.3
- Fixes CVE-2021-28965: XML round-trip vulnerability in REXML.
* Refresh d/patches
* Drop patches that have been merged upstream
- d/p/0008-Fix-priority-order-of-paths-in-I-option.patch
- d/p/0010-Fix-IRBTestIRBHistory-tests.patch
- d/p/0013-Enable-arm64-optimizations-that-exist-for-power-x86-.patch
* Update symbols file
Checksums-Sha1:
bb91fb4eb91296e818877b1a3529f023779b3e58 2506 ruby2.7_2.7.3-1.dsc
6856bc503518da8662dc7ee01a701b9ff99abf55 10818116 ruby2.7_2.7.3.orig.tar.xz
e938e6284892eaf01dcfdbe623904b8028b87f0d 111508 ruby2.7_2.7.3-1.debian.tar.xz
19e31a5e553292dda5bda4c6d9f1f206cd10fe3e 8247 ruby2.7_2.7.3-1_amd64.buildinfo
Checksums-Sha256:
daa0c60654ebc25b1703e3c3b6b917f94b641e9c242979a9fea79c87342502b3 2506 ruby2.7_2.7.3-1.dsc
d61766c37ce31d799e9ff1643e3282f26b56c8f111507d06e650218bcdb0dbc0 10818116 ruby2.7_2.7.3.orig.tar.xz
ff884196c74ae4c563db9f48f1b2c655a629cb07872c8313ce8bae51336d525d 111508 ruby2.7_2.7.3-1.debian.tar.xz
2871e998ca172c118b8f3cc4336263db7f45e7f5bb297d03255ad8785c8e3580 8247 ruby2.7_2.7.3-1_amd64.buildinfo
Files:
3b841671db8047eb986f0ecbcce5106a 2506 ruby optional ruby2.7_2.7.3-1.dsc
0d16a39785ab35b790c282afff759c88 10818116 ruby optional ruby2.7_2.7.3.orig.tar.xz
ebe24613b7000f8f7c0961632f84a453 111508 ruby optional ruby2.7_2.7.3-1.debian.tar.xz
1b7cd213d9d397f8ba4ddd49c3b26f28 8247 ruby optional ruby2.7_2.7.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmB6+osTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlrnsD/9yu0KaKecxezlhv1xw5gHJdEcZxr6O
jg0lxlxNg+ZqRQDnsuYWxvIRvgDrddjZhrdaudvvtMEFDoo6KepsSwzxW0PGjK+l
uaSZfyMkA5jjvJa6uJHdjYyusRBojjzIy2qoD0+QsLNvgRfaiuonGpV2BqqoPPct
7i9E6T0KZqm+y6XXhLn4J2U6sPN+6BpuAGydKdz1okGx4tql4bHQVlvd/EViaqgA
Cm0WSqXeJRgkZTbqmQix54g3I2xjeZJNwcld6Vy2waEEi5D459h3PUko8ezWiaLV
XLUM77ngnBg4ylGKrufmbNQQCVs3C92P5ZK5RmzI7aqFpoC3Xkrxz81dkyISG/Pf
QaD+aI3Dniexwjx/8po2HE87WBLWUMpjOeKy3Z0toRU2lGbzM8SqLjjv5yHkpznL
JrZxrVT+GekSpxK8aztBtaYsINu+vZwu0GwjST1gD2mMZhhu09Itljb3ki2Q7lYk
M4FOR+u3+8GP5/9wFMSHe8j7JsgZr5Dutqam+bSkG1TZ9hDeLrsjegSzsi0NlWIK
XxQUfvRrIm2qApTPn4bdK4BUKlbnl4EfwfvEWxtdpIvv0wvAZtD4P5pfBdlpy30b
Gp/+tJStHMZdBMV42mUQnVQXhF1SNjw+DSQjXwyJgvHwdDoFWSE9Alr13+0EXwST
mIgV2QtPROeIKA==
=sYuB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 May 2021 07:24:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Oct 8 03:09:37 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.