Bug#1002995: marked as done (ruby3.0: CVE-2021-41816 CVE-2021-41817 CVE-2021-41819)
Your message dated Mon, 14 Mar 2022 00:24:40 + with message-id and subject line Bug#1002995: fixed in ruby3.0 3.0.3-1 has caused the Debian Bug report #1002995, regarding ruby3.0: CVE-2021-41816 CVE-2021-41817 CVE-2021-41819 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1002995: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002995 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ruby3.0 Version: 3.0.2-5 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for ruby3.0, they were fixed upstream in 3.0.3. CVE-2021-41816[0]: | Buffer Overrun in CGI.escape_html CVE-2021-41817[1]: | Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS | (regular expression Denial of Service) via a long string. The fixed | versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. CVE-2021-41819[2]: | CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes | in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41816 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41816 [1] https://security-tracker.debian.org/tracker/CVE-2021-41817 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41817 [2] https://security-tracker.debian.org/tracker/CVE-2021-41819 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41819 Regards, Salvatore --- End Message --- --- Begin Message --- Source: ruby3.0 Source-Version: 3.0.3-1 Done: Antonio Terceiro We believe that the bug you reported is fixed in the latest version of ruby3.0, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1002...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro (supplier of updated ruby3.0 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 13 Mar 2022 21:02:08 -0300 Source: ruby3.0 Architecture: source Version: 3.0.3-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team Changed-By: Antonio Terceiro Closes: 1002995 Changes: ruby3.0 (3.0.3-1) unstable; urgency=medium . * New upstream version 3.0.3. Includes fixes for the following security issues (Closes: #1002995): - CVE-2021-41816: Buffer Overrun in CGI.escape_html - CVE-2021-41817: regular expression Denial of Service in Date.parse - CVE-2021-41819: mishandling of security prefixes in CGI::Cookie.parse * Refresh patches * autopkgtest: builtin-extensions: check openssl version * debian/libruby3.0.symbols: update * Fix generation of Provides: * Exclude some tests from TestGemServer Checksums-Sha1: 78d981777f973472a5df4befdcd775c5f33955b7 2477 ruby3.0_3.0.3-1.dsc 891095606c39f25d515f55e29e084ba18b7bca23 12809228 ruby3.0_3.0.3.orig.tar.xz 67236d1daf4bbfd48a276d3dc14eb0cba92b8d0d 160888 ruby3.0_3.0.3-1.debian.tar.xz ffb7a811c4c00f035aa83841e9c023b9abf98cc8 7497 ruby3.0_3.0.3-1_source.buildinfo Checksums-Sha256: 4bb292b2cdf86229f83216df8d40b59586d0d3d2ab1f7c9c9a3a0c52805f4d9d 2477 ruby3.0_3.0.3-1.dsc 4d84d58201c48c5aded812713b568f1f63f5a89c178fb07a85e6f965c7190b25 12809228 ruby3.0_3.0.3.orig.tar.xz 8a8e5d57c779c1577acae5974c255627d9369ace9b5291a09c01324f3aa5fb1d 160888 ruby3.0_3.0.3-1.debian.tar.xz 0c42f91067bb91f6dfc632407e226b7bc027b79e44b6c862de124ade8f9a91cd 7497 ruby3.0_3.0.3-1_source.buildinfo Files: dcd247f034a6aa4e08941338f9705d2e 2477 ruby optional ruby3.0_3.0.3-1.dsc fef95bb4917fa4930bd3224396cc3bf8 12809228 ruby optional ruby3.0_3.0.3.orig.tar.xz 34115b133dbb22cecce4aa37cb4a2581 160888 ruby optional ruby3.0_3.0.3-1.debian.tar.xz 1800860a7ffb9895fb0415f188523aee 7497 ruby optional ruby3.0_3.0.3-1_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmIuhh4ACgkQ/A2xu81G C96LBQ/9FOuGawkQ5A4b9godBMUlWBoXvhczUC0PgLJFNDmWsJHvkHt2/zBIiTBI
Bug#1002995: marked as done (ruby3.0: CVE-2021-41816 CVE-2021-41817 CVE-2021-41819)
Your message dated Sun, 13 Feb 2022 17:47:08 + with message-id and subject line Bug#1002995: fixed in ruby2.7 2.7.4-1+deb11u1 has caused the Debian Bug report #1002995, regarding ruby3.0: CVE-2021-41816 CVE-2021-41817 CVE-2021-41819 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1002995: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002995 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ruby3.0 Version: 3.0.2-5 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for ruby3.0, they were fixed upstream in 3.0.3. CVE-2021-41816[0]: | Buffer Overrun in CGI.escape_html CVE-2021-41817[1]: | Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS | (regular expression Denial of Service) via a long string. The fixed | versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. CVE-2021-41819[2]: | CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes | in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41816 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41816 [1] https://security-tracker.debian.org/tracker/CVE-2021-41817 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41817 [2] https://security-tracker.debian.org/tracker/CVE-2021-41819 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41819 Regards, Salvatore --- End Message --- --- Begin Message --- Source: ruby2.7 Source-Version: 2.7.4-1+deb11u1 Done: Utkarsh Gupta We believe that the bug you reported is fixed in the latest version of ruby2.7, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1002...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta (supplier of updated ruby2.7 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 27 Jan 2022 21:16:13 +0530 Source: ruby2.7 Architecture: source Version: 2.7.4-1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Ruby Team Changed-By: Utkarsh Gupta Closes: 1002995 Changes: ruby2.7 (2.7.4-1+deb11u1) bullseye-security; urgency=high . * Add length limit option for methods that parses date strings. (Fixes: CVE-2021-41817) * When parsing cookies, only decode the values. (Fixes: CVE-2021-41819) * Add patch to fix integer overflow. (Fixes: CVE-2021-41816) (Closes: #1002995) Checksums-Sha1: 871ef14fb9d227b05cfc622ac2350cc87819efea 2538 ruby2.7_2.7.4-1+deb11u1.dsc c3af416830ab3a87ca8b3fdc2b8fc99522baee39 10810480 ruby2.7_2.7.4.orig.tar.xz 40b5f9d71e5fbe7b785575f9dabe9f30e183c798 117148 ruby2.7_2.7.4-1+deb11u1.debian.tar.xz 34b4a2ea6307549b38d17e21a3ce0d17fd3f6919 6538 ruby2.7_2.7.4-1+deb11u1_source.buildinfo Checksums-Sha256: 4caad4963907b583fc23dedcf7aa13a390968a7a1ece49f433520374c027d8e0 2538 ruby2.7_2.7.4-1+deb11u1.dsc a42c6089f82d9ab8dad2e72ba5b318f4177ff7bb17a584ae3834521e4f43c9b5 10810480 ruby2.7_2.7.4.orig.tar.xz 083cac247e2427eeb6be84a23938afc087f99abd21140fe9dba6a464a6f8f2c2 117148 ruby2.7_2.7.4-1+deb11u1.debian.tar.xz 9672dc284b6bed0a7052f7533a60639a1cd03f46c395122d70057651b1753fc9 6538 ruby2.7_2.7.4-1+deb11u1_source.buildinfo Files: da9d3f0d512c9315f7b3b7e9d4379244 2538 ruby optional ruby2.7_2.7.4-1+deb11u1.dsc a66187d2e06edf92b45b03a840ba6570 10810480 ruby optional ruby2.7_2.7.4.orig.tar.xz 3473e8057489d791b8a4af11a7606d50 117148 ruby optional ruby2.7_2.7.4-1+deb11u1.debian.tar.xz 098f47c3765e2b1b80dd3fcb63ce4df7 6538 ruby optional ruby2.7_2.7.4-1+deb11u1_source.buildinfo -BEGIN PGP SIGNATURE- iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmH5ZUMTHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlioDEACLl1SZv3zuvG/wb2uWGn268+FplI97 T3sE5mLzrYEga/K6X3rKJhJWXZxOofxpktFCy2hVHWQuLOtKsLh4cjswCnz+15CN 0TqDTglP4pN6Nbift77YdoFxx5ci/Aed0QwFRrlQjygsbw4dMJLKt8uyAuKTURr2