Your message dated Sat, 20 Aug 2022 20:38:34 +0000
with message-id <[email protected]>
and subject line Bug#1014717: fixed in ruby-sinatra 2.2.2-1
has caused the Debian Bug report #1014717,
regarding ruby-sinatra: CVE-2022-29970
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014717: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014717
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-sinatra
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for ruby-sinatra.
CVE-2022-29970[0]:
| Sinatra before 2.2.0 does not validate that the expanded path matches
| public_dir when serving static files.
https://github.com/sinatra/sinatra/commit/462c3ca1db53ed3cfc394cf5948e9c948ad1c10e
(v2.2.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-29970
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29970
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ruby-sinatra
Source-Version: 2.2.2-1
Done: Antonio Terceiro <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-sinatra, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <[email protected]> (supplier of updated ruby-sinatra
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 20 Aug 2022 17:09:40 -0300
Source: ruby-sinatra
Architecture: source
Version: 2.2.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Antonio Terceiro <[email protected]>
Closes: 1014717
Changes:
ruby-sinatra (2.2.2-1) unstable; urgency=medium
.
* Team upload
.
[ Debian Janitor ]
* Trim trailing whitespace.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
.
[ Daniel Leidert ]
* d/watch: Fix file.
.
[ Antonio Terceiro ]
* New upstream version 2.2.2
- Includes fix for file exfiltration when serving static assets
[CVE-2022-29970]
(Closes: #1014717)
* debian/rules: drop deprecated boilerplate comments
* debian/ruby-tests.rake: make it closer to the gem2deb template
* debian/ruby-sinatra.docs: add README.malayalam.md
* debian/control: update from dh-make-ruby template
- Bump Standards-Version to 4.6.1; no changes needed
- Use https URL for homepage
- Drop hardcoded binary packages dependencies in favor of ${ruby:Depends}
* Refresh patches
* Add new build dependency on rainbows
* Stop running coffe-scripts tests
* Add upstream patch to update dependency on mustermann
* Add missing build dependency on ruby-multi-json
Checksums-Sha1:
841cf80568902f38843f1630e56489ca0ad507b5 2866 ruby-sinatra_2.2.2-1.dsc
dce551b6ce6e38e10ef95ce35eba90af501dfba6 513056 ruby-sinatra_2.2.2.orig.tar.gz
b20cf057daec36417782351a5bdffba86b07bd89 7252
ruby-sinatra_2.2.2-1.debian.tar.xz
5535fede2cdcad18dd1a79bf695b8deaeb4373fe 15220
ruby-sinatra_2.2.2-1_source.buildinfo
Checksums-Sha256:
63f1d40d268dd34d5a578dd60e88fc4522a2134574691e6be9bfe01e7494a469 2866
ruby-sinatra_2.2.2-1.dsc
b8814ccfc11fc6bcc707a93ef94e4ebaa00c541cc3c8433c0dd56aecd627f132 513056
ruby-sinatra_2.2.2.orig.tar.gz
9ca6e5d3032be0d97c64a6ac476ee18892d8ae4cc2340f37617d5add7517e8b7 7252
ruby-sinatra_2.2.2-1.debian.tar.xz
a557effdf8e48910269d0e830af296a3b14c26d85527b2a84e5d2d373ee7a2ef 15220
ruby-sinatra_2.2.2-1_source.buildinfo
Files:
485326dac5a01ec5f5415c2fb39e4731 2866 ruby optional ruby-sinatra_2.2.2-1.dsc
44e1c79d372e5ae04e4b96e3b8190138 513056 ruby optional
ruby-sinatra_2.2.2.orig.tar.gz
849f73dc4b0d8f65e1b2f515675e28be 7252 ruby optional
ruby-sinatra_2.2.2-1.debian.tar.xz
93f122933a5567896ed246d2baba5b53 15220 ruby optional
ruby-sinatra_2.2.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmMBP/QACgkQ/A2xu81G
C95e5A/+JOLkmtUec/e8hwqkCxyXFz5nfIlMXg7mFHOh6NqI1Lj4LkyIzlToe5qH
d/D4p9H2k/tORNXp8g0qLNRRIauxg1hwIvoR0wHsH5ddQCOUDXl5S+E8QMSkGe2O
iOINz0Yo+KahPdSX+jlfSZQI3nPhpIgleL0p5DGzSlMtk2p6K00OEROFk8IA13vM
cjx4hAv8xzYxDWqxRCMAjKMwVYqeFyBFtBv+eyHoGKOQ9aZy4a6WO78j/ZCWMcs8
npdN+szCTLmeFLUMz/vqfFqR7pkObb11IXEwfMc/3YOyEU8x0aKdmwNQ8+9wMEE5
qs5zfQKNoKa+Jc55J5V6bMVQDHghMhPbSV1S7sLOWDAUAD3euQ/hjDurLzPtTr8n
jqT21qpovR35S6i86MhKVQBQHdY1FZvyd4W81vv6zmGQ9mZr4zfFhO8XU4h7k7Zm
3a7+nAkkHMcuUDq3ZNQMvXiUpGizncI81BZeT6ExdUzwRhFVM+iSIav5PLxQJhdn
SOc79YT9KD+n7YfkxF4ZkDPO2j1LZCmdpLFIAQKiy9UNCuXDQa2SH60pNDQxAFSE
K5rfTdK/MJ3bLxuMZtTXjEVY8R9QjxSBAsvRcdIf4iqBYgJidH88Xx7uSi5ALn8X
WwNiNMNMNnO2oKOWpXn4wIHvNrkFEmwGnjpbe3BmUe85IdDM8ZI=
=hyvx
-----END PGP SIGNATURE-----
--- End Message ---
