On Thu, Jul 30, 2015 at 06:44:51AM +0200, Salvatore Bonaccorso wrote: > Hi Antonio, > > On Wed, Jul 29, 2015 at 08:46:16PM -0300, Antonio Terceiro wrote: > > > > On Sat, Jun 27, 2015 at 10:23:31PM +0200, Christian Hofstaedtler wrote: > > > Salvatore, > > > > > > * Salvatore Bonaccorso <car...@debian.org> [150627 13:57]: > > > > Source: ruby2.1 > > > > Version: 2.1.5-1 > > > > Severity: important > > > > Tags: security upstream patch fixed-upstream > > > > > > > > the following vulnerability was published for ruby2.1. > > > > > > > > CVE-2015-3900[0]: > > > > | RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before > > > > | 2.4.7 does not validate the hostname when fetching gems or making API > > > > | request, which allows remote attackers to redirect requests to > > > > | arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack > > > > | attack." > > > > > > Thank you for bringing this to our attention. I suspect upstream > > > will upgrade to 2.2.5 (on the ruby 2.1 branch) in the next few days, > > > and then I'd like to import that, if nobody objects. > > > > upstream didn't do that until now, so I want to upload the attached > > debdiff to jessie-security. > > > > the ruby packages are maintained with patches applied in git, so the > > metadata is not visible in the debdiff. I applied these two commits, > > cherry-picked from rubygems upstream (funny enough that they apply > > cleanly on top of the ruby source): > > > > http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=9b945cadc3b157829a60debff1dd5c536644f9b2 > > http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=61f89c1e7b7ac864d840686aa7824eb04cba5cff > > > > Salvatore, please let me know if I can upload to jessie-security. > > I will make similar uploads to unstable for both ruby2.1 and ruby2.2. > > The debdiff itself looks good to me (btw, for security upload use > urgency=high for consistency).
ok > Looking at the security-tracker, > https://security-tracker.debian.org/tracker/CVE-2015-3900 we had > marked this as no-dsa with the following comment, > > [jessie] - ruby2.1 <no-dsa> (Minor issue, can be coupled with a future Ruby > DSA) > > So I suggest to either wait for a more urgent update for ruby2.1 to be > targeted via a jessie-security update or ask stable release managers > to schedule it via a jessie-pu. > > Fine with you? sure > Btw, there is > https://security-tracker.debian.org/tracker/CVE-2009-5147 (but which > stil hass a TODO item, so needs to be checked if this affects ruby2.1 > at all, so it as well has no decision yet about dsa/no-dsa). if it was fixed upstream in 2009 as the comment at the bottom seem to imply, it definitively doesn't apply to ruby1.9.1 in wheezy (actually 1.9.3) or anything newer than that. -- Antonio Terceiro <terce...@debian.org>
signature.asc
Description: Digital signature
