Your message dated Sun, 08 Sep 2024 00:06:02 +0000
with message-id <e1sn5rk-006uan...@fasolo.debian.org>
and subject line Bug#1059300: fixed in ruby-sidekiq 7.3.2+dfsg-1
has caused the Debian Bug report #1059300,
regarding ruby-sidekiq: CVE-2023-26141
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1059300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059300
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-sidekiq
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for ruby-sidekiq.
CVE-2023-26141[0]:
| Versions of the package sidekiq before 7.1.3 are vulnerable to
| Denial of Service (DoS) due to insufficient checks in the dashboard-
| charts.js file. An attacker can exploit this vulnerability by
| manipulating the localStorage value which will cause excessive
| polling requests.
https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107
https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89
(v7.1.3)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-26141
https://www.cve.org/CVERecord?id=CVE-2023-26141
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ruby-sidekiq
Source-Version: 7.3.2+dfsg-1
Done: Cédric Boutillier <bou...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-sidekiq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1059...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cédric Boutillier <bou...@debian.org> (supplier of updated ruby-sidekiq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 08 Sep 2024 00:57:22 +0200
Source: ruby-sidekiq
Architecture: source
Version: 7.3.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Cédric Boutillier <bou...@debian.org>
Closes: 1059300 1070004
Changes:
ruby-sidekiq (7.3.2+dfsg-1) unstable; urgency=medium
.
* Team upload
* New upstream version 7.3.2+dfsg
+ fix reflected XSS vulnerability CVE-2024-32887 (Closes: #1070004)
+ fix DoS vulnerability CVE-2023-26141 (Closes: #1059300)
* Refresh packaging files with dh-make-ruby -w
* Add upstream metadata
Checksums-Sha1:
ce82998fe12f84b9c117bd85c2a3c6067e0705a4 1804 ruby-sidekiq_7.3.2+dfsg-1.dsc
91f22004b4bdc219129a91f068ed011f9b9dc5eb 167556
ruby-sidekiq_7.3.2+dfsg.orig.tar.xz
93234e785026a99b18bd994ceddc670dd61b36a4 5268
ruby-sidekiq_7.3.2+dfsg-1.debian.tar.xz
67e7655fe072448e842e1496fa9d06e60a3d9f72 12652
ruby-sidekiq_7.3.2+dfsg-1_amd64.buildinfo
Checksums-Sha256:
748e343eeeec9f6e7a44ac1d1d6cc634f59ac01377a987b6f6c1d7b1fd9d557b 1804
ruby-sidekiq_7.3.2+dfsg-1.dsc
be3673a8a48c0df8d26c979f044245845b91717dc6e04b7851feedf9c538ce65 167556
ruby-sidekiq_7.3.2+dfsg.orig.tar.xz
92976c23f254ec85d42dc94e44b69986d7e15a2c6bf878253fbd5eff3788d263 5268
ruby-sidekiq_7.3.2+dfsg-1.debian.tar.xz
373f9774e619f12b2577598fc34a78f8e45255700c81674edd78999c0e03097c 12652
ruby-sidekiq_7.3.2+dfsg-1_amd64.buildinfo
Files:
b966f1302fa2ec15ce27c31f80a03f3a 1804 ruby optional
ruby-sidekiq_7.3.2+dfsg-1.dsc
3da3c1041934b46b4901f1ca548be208 167556 ruby optional
ruby-sidekiq_7.3.2+dfsg.orig.tar.xz
772b0461c7b7b9557a81e0956774268d 5268 ruby optional
ruby-sidekiq_7.3.2+dfsg-1.debian.tar.xz
807f9bae3cf67f8bc6bb6839209077d1 12652 ruby optional
ruby-sidekiq_7.3.2+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSEz/3CFSD4gwbsKdFSaZq2P58rwwUCZtzligAKCRBSaZq2P58r
w5RGAQDSH3Armj78NMejF8710xEeew4n7L5EgnEwSX4x14rfuQEAr670V4rCKqU1
S+4gPhCh50MpI/mpi2hKFgcWS4eqdgI=
=J1Rq
-----END PGP SIGNATURE-----
pgpvfOgJpeZyN.pgp
Description: PGP signature
--- End Message ---
