Your message dated Fri, 10 Aug 2012 17:32:14 +0000 with message-id <e1szt4i-0003je...@franck.debian.org> and subject line Bug#684454: fixed in ruby-actionpack-3.2 3.2.6-4 has caused the Debian Bug report #684454, regarding ruby-actionpack-3.2: CVE-2012-3463 / CVE-2012-3464 / CVE-2012-3465 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 684454: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684454 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ruby-actionpack-3.2 Severity: grave Tags: security Justification: user security hole Please see CVE-2012-3465 http://www.openwall.com/lists/oss-security/2012/08/09/9 CVE-2012-3464 http://www.openwall.com/lists/oss-security/2012/08/09/10 CVE-2012-3463 http://www.openwall.com/lists/oss-security/2012/08/09/8 Since Wheezy is frozen, please use the isolated patches instead of updating to 3.2.8 Cheers, Moritz
--- End Message ---
--- Begin Message ---Source: ruby-actionpack-3.2 Source-Version: 3.2.6-4 We believe that the bug you reported is fixed in the latest version of ruby-actionpack-3.2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 684...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro <terce...@debian.org> (supplier of updated ruby-actionpack-3.2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 10 Aug 2012 13:08:08 -0300 Source: ruby-actionpack-3.2 Binary: ruby-actionpack-3.2 Architecture: source all Version: 3.2.6-4 Distribution: unstable Urgency: high Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Antonio Terceiro <terce...@debian.org> Description: ruby-actionpack-3.2 - web-flow and rendering framework putting the VC in MVC (part of R Closes: 684454 Changes: ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high . * Add patches for security problems (Closes: #684454): + CVE-2012-3463 - Ruby on Rails Potential XSS Vulnerability in select_tag prompt + CVE-2012-3465 - XSS Vulnerability in strip_tags + Both patches were edited from their original versions in two ways: - the leading a/ and b/ from the filenames were stripped - changes over test files were removed, since the Debian package contains no test files. Checksums-Sha1: 38d9541007135c215ea4a6c3de5517638d33e6e8 1683 ruby-actionpack-3.2_3.2.6-4.dsc c598b0bc82b33735f7061846ebee54a212eb2808 4307 ruby-actionpack-3.2_3.2.6-4.debian.tar.gz d1ecf1fe0596cc5e714a28fd9e93c4dd5dd3f85f 387618 ruby-actionpack-3.2_3.2.6-4_all.deb Checksums-Sha256: f110bcba58e48a2aad548830c892d661c63113fb5a1c5b182d9741dfd66fc697 1683 ruby-actionpack-3.2_3.2.6-4.dsc 2e1266853a1ffd22e456bbad283b0fdcf1eb04b1f1b92fe9f863f164b588844a 4307 ruby-actionpack-3.2_3.2.6-4.debian.tar.gz c5bd73bbf085d8059fb3ff4459d19aa97380aa0a6ae9442f41184ec27aaa0d21 387618 ruby-actionpack-3.2_3.2.6-4_all.deb Files: d1b71c00580f03e8d8bd9c9140d0a51a 1683 ruby optional ruby-actionpack-3.2_3.2.6-4.dsc 9baaa0b914285aef6f15de0c52ad78a5 4307 ruby optional ruby-actionpack-3.2_3.2.6-4.debian.tar.gz 5029f55804c25a69d7fcf345d1439a8b 387618 ruby optional ruby-actionpack-3.2_3.2.6-4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlAlQtMACgkQDOM8kQ+cso8q3QCdGRsTvclVtO4dTxFfFgKxDZol AQwAnj3QNOWjvuluYm/xKviLrlpZZSLG =ZyG4 -----END PGP SIGNATURE-----
--- End Message ---
