Package: ruby1.9.1 Version: 1.9.3.194-7 Severity: minor Dear Maintainer,
The ruby1.9.1 package contains a fix for CVE-2011-1005 (20120927-cve_2011_1005.patch). I submitted that fix to upstream and Debian[1] when I discovered that Ruby 1.9.x failed a regression test for CVE-2011-1005, despite the original Ruby security advisory[2] stating that 1.9.x was not affected. After some discussion on the oss-security list, it turns out that Ruby 1.9.x was assigned[3] new CVE identifiers for this issue because of CVE assignment semantics. The issues in Ruby 1.9.x are assigned CVE-2012-4464 and CVE-2012-4466, *not* CVE-2011-1005. 20120927-cve_2011_1005.patch is complete and addresses all of the issues, it just happens to be named incorrectly. The "fix" for this bug is to simply rename the patch to avoid further confusion. There is also a revision[4] in the upstream 1.9.3 branch if you'd like to verify for yourself. Sorry for any confusion! Tyler [1] http://bugs.debian.org/689075 [2] http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/ [3] http://www.openwall.com/lists/oss-security/2012/10/03/9 [4] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37162 -- System Information: Debian Release: wheezy/sid APT prefers raring-updates APT policy: (500, 'raring-updates'), (500, 'raring-security'), (500, 'raring') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.8.0-6-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ruby1.9.1 depends on: ii libc6 2.17-0ubuntu4 pn libruby1.9.1 <none> ruby1.9.1 recommends no packages. Versions of packages ruby1.9.1 suggests: pn graphviz <none> pn ri1.9.1 <none> pn ruby-switch <none> pn ruby1.9.1-dev <none> pn ruby1.9.1-examples <none> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
