Your message dated Tue, 14 Nov 2017 13:36:32 +0000 with message-id <e1eeboc-000ig4...@fasolo.debian.org> and subject line Bug#879231: fixed in ruby2.3 2.3.5-1 has caused the Debian Bug report #879231, regarding ruby2.3: CVE-2017-0903: Unsafe object deserialization through YAML formatted gem specifications to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879231: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879231 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby2.3 Version: 2.3.3-1 Severity: grave Tags: patch security upstream Hi, the following vulnerability was published for ruby2.3. CVE-2017-0903[0]: | RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a | possible remote code execution vulnerability. YAML deserialization of | gem specifications can bypass class white lists. Specially crafted | serialized objects can possibly be used to escalate to remote code | execution. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-0903 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903 [1] http://www.openwall.com/lists/oss-security/2017/10/10/2 [2] https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby2.3 Source-Version: 2.3.5-1 We believe that the bug you reported is fixed in the latest version of ruby2.3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 879...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro <terce...@debian.org> (supplier of updated ruby2.3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 14 Nov 2017 11:06:39 -0200 Source: ruby2.3 Binary: ruby2.3 libruby2.3 ruby2.3-dev ruby2.3-doc ruby2.3-tcltk Architecture: source Version: 2.3.5-1 Distribution: unstable Urgency: medium Maintainer: Antonio Terceiro <terce...@debian.org> Changed-By: Antonio Terceiro <terce...@debian.org> Description: libruby2.3 - Libraries necessary to run Ruby 2.3 ruby2.3 - Interpreter of object-oriented scripting language Ruby ruby2.3-dev - Header files for compiling extension modules for the Ruby 2.3 ruby2.3-doc - Documentation for Ruby 2.3 ruby2.3-tcltk - Ruby/Tk for Ruby 2.3 Closes: 842432 853648 864860 873802 873906 875928 875931 875936 879231 Changes: ruby2.3 (2.3.5-1) unstable; urgency=medium . * New upstream release. - Includes fix for building with GCC 7 (Closes: #853648) - Included security fixes - Buffer underrun vulnerability in OpenSSL ASN1 decode [CVE-2017-14033] (Closes: #875928) - Escape sequence injection vulnerability in the Basic authentication of WEBrick [CVE-2017-10784] (Closes: #875931) - Buffer underrun vulnerability in Kernel.sprintf [CVE-2017-0898] (Closes: #875936) - Multiple security vulnerabilities in Rubygems (Closes: #873802) - DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins. [CVE-2017-0902] - ANSI escape sequence vulnerability. Discovered by Yusuke Endoh, fix by Evan Phoenix. [CVE-2017-0899] - DOS vulernerability in the query command. Discovered by Yusuke Endoh, fix by Samuel Giddins. [CVE-2017-0900] - Vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel Giddins. [CVE-2017-0901] - Arbitrary heap exposure problem in the JSON library [CVE-2017-14064] (Closes: #873906) - SMTP comment injection [CVE-2015-9096] (Closes: #864860) - IV Reuse in GCM Mode in the OpenSSL bindings [CVE-2016-7798] (Closes: #842432) * Whitelist classes and symbols that are in Gem spec YAML [CVE-2017-0903] (Closes: #879231) Original patch by Aaron Patterson; backported from the standalone Rubygems package * Convert packaging from using a plain git history to using gbp-pq, thus making debian individual patches explicitly present in debian/patches * Refresh debian/libruby2.3.symbols. There are some removed symbols, but they are never exposed in a header file so there should be no packages using them. Checksums-Sha1: 0a663eef9e8e7887c99be32ffb1d841d9efcad04 2475 ruby2.3_2.3.5-1.dsc 07c5db8a364db80b02a0e2b632bb7c278c84f62e 12916814 ruby2.3_2.3.5.orig.tar.gz 49f717c776700f4e89f7d2eca7270a5e3b1c0986 96268 ruby2.3_2.3.5-1.debian.tar.xz bfc7dd16726802706ce9454ab72ce5adda45b082 6346 ruby2.3_2.3.5-1_source.buildinfo Checksums-Sha256: ee10ece2064e88d914466587b2023f3d3faf30136d7e6c8170cd1952225f8b46 2475 ruby2.3_2.3.5-1.dsc c11d5f0f866e021cea7e3eaeb2f83525734c2b71d5db283e5ee3d878fb0e16cc 12916814 ruby2.3_2.3.5.orig.tar.gz 5f75c3f3a2dec42b7228715544ec9e4fe2529a215b33689348405f9b40eabdb8 96268 ruby2.3_2.3.5-1.debian.tar.xz f46d5e90c8b4aee45fc8f32ea6b86b51ed9496b57c96643e2768fa044d285a39 6346 ruby2.3_2.3.5-1_source.buildinfo Files: 1ad047d2760c26c2d81909c31acbaa67 2475 ruby optional ruby2.3_2.3.5-1.dsc c06d11091cb8dc594f306909786246a9 12916814 ruby optional ruby2.3_2.3.5.orig.tar.gz a643704eae7f72c9524a90a0f79b39c0 96268 ruby optional ruby2.3_2.3.5-1.debian.tar.xz ccbe18fe4782de6640ce328073fc0667 6346 ruby optional ruby2.3_2.3.5-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAloK7i0ACgkQ/A2xu81G C979OQ/9HmYzXEzUuL77XvZDpNdKVOYWYhmZX1y9ONresHZfypg3dSt8LGuPRpOc U0Yz9bZzV2rvHctx+AMV+/x0eCuEprYeKi4aMeO4/iiSkdDCZX9wzaPpWraNgk1C 5QzztkmzoyjNrynHjKCxMGh0MeeeQBTbqmeT2oIMDNLPMeOTCOY0cWTBDA2vla9Z LS2Q02LrNvqArbozu7fxFdUulJrEdpaZCba6+0Od3cb54/ChHQV5xo8mmjEEtb0x E7drXreYW2vMdb3Fc34wBk7sosRjDVYsTKFmzp113ik7eSHxrKuWKyxQmKuv5eOm 7gyn3gDqrA4RbNXr0hklbmot4WjFxFkaFt2WaKL26vwIIE42iO1Vqen9HvcyToK5 DCGQU7ZvUIcL8xVsEq5xR4ajlXdaqbEO8SI1wOup6juqtbnqv06jGD1/NR1dttdY MXfLFlYBVyInkB/7g1SXB6FeveAzK92fvRWV7yrRKC2plxl9WkUNSRcnln635LCh qhb82nmk15UjzWLbNq+AUbxMGRBNv0qQKkZGmgipltB1HCIxTSqZZqzAu0jG8tYX C8WKBPZF/lMl5FNIm91AKAZ16bQQS0z7eS2PX/TM9RLC4nHzV+d0qCIDJX8r73EN V2kHa+3eioQd95PTijQ4zedsyOZoTkCGT0MarHTJKnUjwf2eKEY= =WGPi -----END PGP SIGNATURE-----
--- End Message ---
