Your message dated Mon, 14 Mar 2022 00:24:40 +0000 with message-id <e1ntyvs-0001xk...@fasolo.debian.org> and subject line Bug#1002995: fixed in ruby3.0 3.0.3-1 has caused the Debian Bug report #1002995, regarding ruby3.0: CVE-2021-41816 CVE-2021-41817 CVE-2021-41819 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1002995: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002995 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby3.0 Version: 3.0.2-5 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for ruby3.0, they were fixed upstream in 3.0.3. CVE-2021-41816[0]: | Buffer Overrun in CGI.escape_html CVE-2021-41817[1]: | Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS | (regular expression Denial of Service) via a long string. The fixed | versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. CVE-2021-41819[2]: | CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes | in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41816 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41816 [1] https://security-tracker.debian.org/tracker/CVE-2021-41817 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41817 [2] https://security-tracker.debian.org/tracker/CVE-2021-41819 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41819 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby3.0 Source-Version: 3.0.3-1 Done: Antonio Terceiro <terce...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby3.0, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1002...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro <terce...@debian.org> (supplier of updated ruby3.0 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 13 Mar 2022 21:02:08 -0300 Source: ruby3.0 Architecture: source Version: 3.0.3-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Antonio Terceiro <terce...@debian.org> Closes: 1002995 Changes: ruby3.0 (3.0.3-1) unstable; urgency=medium . * New upstream version 3.0.3. Includes fixes for the following security issues (Closes: #1002995): - CVE-2021-41816: Buffer Overrun in CGI.escape_html - CVE-2021-41817: regular expression Denial of Service in Date.parse - CVE-2021-41819: mishandling of security prefixes in CGI::Cookie.parse * Refresh patches * autopkgtest: builtin-extensions: check openssl version * debian/libruby3.0.symbols: update * Fix generation of Provides: * Exclude some tests from TestGemServer Checksums-Sha1: 78d981777f973472a5df4befdcd775c5f33955b7 2477 ruby3.0_3.0.3-1.dsc 891095606c39f25d515f55e29e084ba18b7bca23 12809228 ruby3.0_3.0.3.orig.tar.xz 67236d1daf4bbfd48a276d3dc14eb0cba92b8d0d 160888 ruby3.0_3.0.3-1.debian.tar.xz ffb7a811c4c00f035aa83841e9c023b9abf98cc8 7497 ruby3.0_3.0.3-1_source.buildinfo Checksums-Sha256: 4bb292b2cdf86229f83216df8d40b59586d0d3d2ab1f7c9c9a3a0c52805f4d9d 2477 ruby3.0_3.0.3-1.dsc 4d84d58201c48c5aded812713b568f1f63f5a89c178fb07a85e6f965c7190b25 12809228 ruby3.0_3.0.3.orig.tar.xz 8a8e5d57c779c1577acae5974c255627d9369ace9b5291a09c01324f3aa5fb1d 160888 ruby3.0_3.0.3-1.debian.tar.xz 0c42f91067bb91f6dfc632407e226b7bc027b79e44b6c862de124ade8f9a91cd 7497 ruby3.0_3.0.3-1_source.buildinfo Files: dcd247f034a6aa4e08941338f9705d2e 2477 ruby optional ruby3.0_3.0.3-1.dsc fef95bb4917fa4930bd3224396cc3bf8 12809228 ruby optional ruby3.0_3.0.3.orig.tar.xz 34115b133dbb22cecce4aa37cb4a2581 160888 ruby optional ruby3.0_3.0.3-1.debian.tar.xz 1800860a7ffb9895fb0415f188523aee 7497 ruby optional ruby3.0_3.0.3-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmIuhh4ACgkQ/A2xu81G C96LBQ/9FOuGawkQ5A4b9godBMUlWBoXvhczUC0PgLJFNDmWsJHvkHt2/zBIiTBI o77jX0IJ1WbqmiRNPp8mHhsOwl5ef79hn+SDei4BQOG/UpMfNIsZNyQu8dE0FrJ7 mmTek5h516GlB59npVAT3+IXk94ufCZGaviJ8mpj4t5VZlgw20OipoHEzWMaPOyd Xy7A0GbeFidtm9fbHPT1K7seaiN/O6EMeC+AtR1j1mQZAXaj5y4JQ/IqBWH60jRf zINCaWZfDwsI16rQKkRQUgnJD08jd7JkS2xzJx1xeTYiE6NWt6gNB/17t3e26n/L 3BmrXCKamd8DMnXSW1hG5FYv/TzfGlY79+gPn1fq/5PgsFPOYahAuM0hAP4Wj881 d+5FbDew6nD1WiqAS4kV3yaIggRrK3M507HUobbJYNPOdO/wYFW73564FFHfW9DR 4r1iETtA44Uua7rtPFI8TxUQm7zW6hYlViYfFVenzGTl/ArOn1b62Oeup1Y0TZ2Y lJAI22uXxI663dujBwPABvcq7LJKNeGahutos7LCJSf27WLbryzIFjH/IFWEIRF/ yY2gv8AbqIxLsQX6mU9OJFkC7OzJEAaNRPlG0qt4rAtWjWN0O3spVigG9xS07Kfx aNiR76W6OoPOPR7FMQl7a3ckJhyLtjB7bVb53RryTNZEIQb+LPM= =VUfQ -----END PGP SIGNATURE-----
--- End Message ---
