Your message dated Thu, 03 Jan 2013 19:09:49 +0000 with message-id <1357240189.28152.4.ca...@jacala.jungle.funky-badger.org> and subject line Re: Bug#697283: unblock: ruby-activerecord-3.2/3.2.6-3 has caused the Debian Bug report #697283, regarding unblock: ruby-activerecord-3.2/3.2.6-3 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697283: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697283 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock Please unblock package ruby-activerecord-3.2 This release fixes a recently undisclosed security problem (CVE-2012-5664) Attached is the debdiff between this version and the version in testing. unblock ruby-activerecord-3.2/3.2.6-3 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terce...@debian.org>diff -Nru ruby-activerecord-3.2-3.2.6/debian/changelog ruby-activerecord-3.2-3.2.6/debian/changelog --- ruby-activerecord-3.2-3.2.6/debian/changelog 2012-06-24 18:52:31.000000000 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/changelog 2013-01-03 11:21:21.000000000 -0300 @@ -1,3 +1,10 @@ +ruby-activerecord-3.2 (3.2.6-3) unstable; urgency=high + + * debian/patches/3-2-dynamic_finder_injection.patch: fix SQL injection + vulnerability (CVE-2012-5664). + + -- Antonio Terceiro <terce...@debian.org> Thu, 03 Jan 2013 11:21:18 -0300 + ruby-activerecord-3.2 (3.2.6-2) unstable; urgency=low * Bump build dependency on gem2deb to >= 0.3.0~ diff -Nru ruby-activerecord-3.2-3.2.6/debian/control ruby-activerecord-3.2-3.2.6/debian/control --- ruby-activerecord-3.2-3.2.6/debian/control 2012-06-24 18:52:06.000000000 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/control 2012-09-01 17:38:02.000000000 -0300 @@ -3,7 +3,6 @@ Priority: optional Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Uploaders: - Ondřej Surý <ond...@debian.org>, Antonio Terceiro <terce...@debian.org>, DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), diff -Nru ruby-activerecord-3.2-3.2.6/debian/control.in ruby-activerecord-3.2-3.2.6/debian/control.in --- ruby-activerecord-3.2-3.2.6/debian/control.in 2012-06-16 20:57:42.000000000 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/control.in 2012-09-01 17:38:02.000000000 -0300 @@ -3,7 +3,6 @@ Priority: optional Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Uploaders: - Ondřej Surý <ond...@debian.org>, Antonio Terceiro <terce...@debian.org>, DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/3-2-dynamic_finder_injection.patch ruby-activerecord-3.2-3.2.6/debian/patches/3-2-dynamic_finder_injection.patch --- ruby-activerecord-3.2-3.2.6/debian/patches/3-2-dynamic_finder_injection.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/patches/3-2-dynamic_finder_injection.patch 2013-01-03 11:14:35.000000000 -0300 @@ -0,0 +1,32 @@ +From 325669f0795a9148fd31f7f496a40dc8e114ef52 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson <aaron.patter...@gmail.com> +Date: Sun, 23 Dec 2012 11:07:07 -0800 +Subject: [PATCH] CVE-2012-5664 options hashes should only be extracted if + there are extra parameters + +--- + lib/active_record/dynamic_matchers.rb | 7 ++++++- + test/cases/finder_test.rb | 12 ++++++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/lib/active_record/dynamic_matchers.rb b/lib/active_record/dynamic_matchers.rb +index b6b8e24..f15d0b7 100644 +--- a/lib/active_record/dynamic_matchers.rb ++++ b/lib/active_record/dynamic_matchers.rb +@@ -40,7 +40,12 @@ module ActiveRecord + METHOD + send(method_id, *arguments) + elsif match.finder? +- options = arguments.extract_options! ++ options = if arguments.length > attribute_names.size ++ arguments.extract_options! ++ else ++ {} ++ end ++ + relation = options.any? ? scoped(options) : scoped + relation.send :find_by_attributes, match, attribute_names, *arguments, &block + elsif match.instantiator? +-- +1.7.10.2 (Apple Git-33) + diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/series ruby-activerecord-3.2-3.2.6/debian/patches/series --- ruby-activerecord-3.2-3.2.6/debian/patches/series 2012-06-16 11:10:55.000000000 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/patches/series 2013-01-03 11:04:55.000000000 -0300 @@ -1 +1,2 @@ Remove_rubygems_dependency.patch +3-2-dynamic_finder_injection.patchsignature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---On Thu, 2013-01-03 at 11:47 -0300, Antonio Terceiro wrote: > Please unblock package ruby-activerecord-3.2 > > This release fixes a recently undisclosed security problem > (CVE-2012-5664) Recently /disclosed/? Unblocked; thanks. Regards, Adam
--- End Message ---