Your message dated Mon, 09 Dec 2024 12:32:09 +0000
with message-id <[email protected]>
and subject line Bug#1038950: fixed in ruby-doorkeeper 5.5.0-2+deb12u1
has caused the Debian Bug report #1038950,
regarding ruby-doorkeeper: CVE-2023-34246
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1038950: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038950
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-doorkeeper
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for ruby-doorkeeper.
CVE-2023-34246[0]:
| Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior
| to version 5.6.6, Doorkeeper automatically processes authorization
| requests without user consent for public clients that have been
| previous approved. Public clients are inherently vulnerable to
| impersonation, their identity cannot be assured. This issue is fixed
| in version 5.6.6.
https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w
https://github.com/doorkeeper-gem/doorkeeper/issues/1589
https://github.com/doorkeeper-gem/doorkeeper/pull/1646
Fixed by:
https://github.com/doorkeeper-gem/doorkeeper/commit/f202079baac4c978a01ccc9a45d78fde368ac907
(v5.6.6)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-34246
https://www.cve.org/CVERecord?id=CVE-2023-34246
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ruby-doorkeeper
Source-Version: 5.5.0-2+deb12u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-doorkeeper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated ruby-doorkeeper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 08 Dec 2024 23:42:11 +0200
Source: ruby-doorkeeper
Architecture: source
Version: 5.5.0-2+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1038950
Changes:
ruby-doorkeeper (5.5.0-2+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* CVE-2023-34246: Improper Authentication (Closes: #1038950)
Checksums-Sha1:
538ac9872c793548c18a636e6d3589b91d1c0750 2133
ruby-doorkeeper_5.5.0-2+deb12u1.dsc
7993f88780db2ebcf22c52e91aac1737bd201287 100535
ruby-doorkeeper_5.5.0.orig.tar.gz
d7c590aa828a436a48e5b83d61a65d9fbaff357c 3840
ruby-doorkeeper_5.5.0-2+deb12u1.debian.tar.xz
Checksums-Sha256:
5460f406739414976f3d71d7749b9ea10f7b4cdaa062cd9dc9ce7de0bce3d2f5 2133
ruby-doorkeeper_5.5.0-2+deb12u1.dsc
519984eb17c01e6613dc195c74b8ab938cd426fbe2de0a6e89e77281871c781e 100535
ruby-doorkeeper_5.5.0.orig.tar.gz
9450ca89cad4a59b3c6c0297dc60d540244a9ad53ca6a4329c39b5659728eeca 3840
ruby-doorkeeper_5.5.0-2+deb12u1.debian.tar.xz
Files:
10ebbc57155792afd83d135860fcc1bf 2133 ruby optional
ruby-doorkeeper_5.5.0-2+deb12u1.dsc
82aaa1af7a7d01e2de3a56ae57812de6 100535 ruby optional
ruby-doorkeeper_5.5.0.orig.tar.gz
4562182e774c947862b2a9de8cdf32c8 3840 ruby optional
ruby-doorkeeper_5.5.0-2+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmdWYAIACgkQiNJCh6LY
mLEj5g/+O+qGpxVhg3SbQe2SvykosXO6v6Ntj3vraZFtf49ngnJTZga5S769eEjZ
Snpw9OvlHf9eUEbgprQJJpOAS02DJST99JEuPmf4ERY+X29jQFynFcpmXkcSlX4M
bJl1bMZNvNpZ7m5tg+gCABMCbJK2NgjFbarLasTy699RlxkWIQRfA+TOdWWga6ru
MZZHDByhOfBc4sPaWCbepSCq13iyAjL3U/UDGboaH57jYzGCcaiVQkGaTVeJZKsI
gemA861TegyacDwNHMNDUn3Cl9QTlk7V8fAvdxCjsnXmFnblPPwdBprXcIY2UJ6b
q8jmRkQvNGQ4QfRDwl6uj7w7Up5uzNvTsCzVoxOTnv78/G5Hrhr3e5h8lnsN4Ohu
YlIabt0S8+nlM+9JWGU0fa5Ro9xd1gsAovOSMdIoATYxYsmhuyPXmMCRLefeEn7K
lY/AY562QGtbdCxcIdCPFdk04kNHhK6SJyWwl83kMbEm1I4vc95sxHSGuvGwFLi8
oI1cb2RkMywYEWuCGPUnwDmmkFcF1DAxtlvJsfNFra9GkVs6uEFEW5E+/a9njAY9
9TkeIy1Cz1iu4UXjX8p7EgOeSlCgnxNPDmURssyMZLZXRgpCZUQplnFvCvwRVyZy
uYIJRRIKqg6B/wqTGGCieDvgmEblFEL0Nl7fc3A1toiZBEdtc7U=
=IWsy
-----END PGP SIGNATURE-----
pgpI4bwp7YJcO.pgp
Description: PGP signature
--- End Message ---
