Your message dated Sun, 15 Jan 2023 13:07:45 +0000
with message-id <[email protected]>
and subject line Bug#1024799: fixed in ruby3.1 3.1.2-4
has caused the Debian Bug report #1024799,
regarding ruby3.1: CVE-2021-33621
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1024799: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024799
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby3.1
Version: 3.1.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:ruby3.0 3.0.4-8
Control: retitle -2 ruby3.0: CVE-2021-33621
Hi,
The following vulnerability was published for ruby.
CVE-2021-33621[0]:
| The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5
| for Ruby allows HTTP response splitting. This is relevant to
| applications that use untrusted user input either to generate an HTTP
| response or to create a CGI::Cookie object.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-33621
https://www.cve.org/CVERecord?id=CVE-2021-33621
[1]
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby3.1
Source-Version: 3.1.2-4
Done: Antonio Terceiro <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby3.1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <[email protected]> (supplier of updated ruby3.1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 15 Jan 2023 08:27:59 -0300
Source: ruby3.1
Architecture: source
Version: 3.1.2-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Antonio Terceiro <[email protected]>
Closes: 1024799 1028890
Changes:
ruby3.1 (3.1.2-4) unstable; urgency=medium
.
* Replace cross pkg-config patch with patches applied upstream
* Apply upstream patch to fix TZ tests (Closes: #1028890)
* Drop exclude for TestTimeTZ, not needed anymore
* debian/libruby3.1.symbols: fix version of rb_gc_ractor_newobj_cache_clear
* debian/tests/builtin-extensions: also require libraries
* Add upstream patch to upgrade CGI extension to 0.3.5.
This fixes an HTTP response splitting vulnerability in CGI [CVE-2021-33621]
(Closes: #1024799)
Checksums-Sha1:
afd83aa45b0bd7c4bbbf04581c62298dd5edfa28 2477 ruby3.1_3.1.2-4.dsc
dd37602fbc0df1fb7c7796f9c1a72daaf9640f3b 66476 ruby3.1_3.1.2-4.debian.tar.xz
fdd4b04d397224b82c5d3a6f5f76bfa53706344e 8491 ruby3.1_3.1.2-4_amd64.buildinfo
Checksums-Sha256:
ce0704bd58c307b053ddb3470d8a3c4415e5eb4de3178d621edf3c5774e2b0bf 2477
ruby3.1_3.1.2-4.dsc
2f6406dc499facc4e8d227b9cb219c3a531e9ad162a486bfe222d8f0cd749ae8 66476
ruby3.1_3.1.2-4.debian.tar.xz
4edc1bcdbf2b3be02e215f37338e012327ef3e48dd07c8fb51422c007e44102b 8491
ruby3.1_3.1.2-4_amd64.buildinfo
Files:
cbb724d06ef66a8369a59952d53fb4db 2477 ruby optional ruby3.1_3.1.2-4.dsc
26211dee9cbc2f49197068e2dc0e71c6 66476 ruby optional
ruby3.1_3.1.2-4.debian.tar.xz
9027ea3c1792643a5883641957802971 8491 ruby optional
ruby3.1_3.1.2-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmPD+KAACgkQ/A2xu81G
C962OxAAvy1gM1Jvn9ZfR53QD6rxyGnyugsU1vrOeyGErfXzgQSpott9vJXGuIKr
ei3z4eVnpSL1XXXNxfGdvAWT75F7jP1EZEfWtZmZ++XcGQaPF/TBtdehs/uYmjHY
Rf4Z1Rr0NYUzdQw/AvNJ1gE8ASW9Jdm7NgB/34kcicnIvnMZq0vdmwaJF7A2MybB
249goQeC5JHoFaw3PCrpdwrBBbxgPMUEAbDtKeS5J4Nk5tw5Uj+Nql5sElbbTpjr
bKvq1Nk2GBBR+nbW7K4sD6CvcRTLBNkglC7MmduJlFgVImfw+3HjxXiVS/Y9+y3p
ThxCRi6y86xsqQLfJ8UDh0FCNPJyq0c6cmBd4hXa3tFqE//l340EIh1/c9Ekq3wP
yVzXUSclNULnEWptSvInyX/s0NHWQd+0k1E6Edfja1i5DvRDv7tjAIA+RIyHBWsZ
YbqcTftmjJtFMd4ZU31Gv2wWxNvp+zofaIUll1wstXSf5Sp6rUEOuJeWYzKZS/rD
TdM9FDOZheBhO5oH4OQ4vaarAk70HjNDJcVm0u3OaMS9usdwXJ/vd+m74kabtoBM
209Xlj/FJSG6yNQTc8Bkd8i28Q9wuUfCSucY3+KJhJY64ux1Oxjx4EqwNGP3xmwm
P+DwnAF6ppSicmKoyAyBWhazuyVIso3rb0TYm890TPxEH12aVEA=
=kNeZ
-----END PGP SIGNATURE-----
--- End Message ---
