[DRE-maint] Bug#1064862: marked as done (ruby-rack-cors: CVE-2024-27456)

[Debian Bug Tracking System]

Your message dated Mon, 4 Mar 2024 20:37:33 +0100
with message-id <zeyi_wtaua_qe...@eldamar.lan>
and subject line Re: Bug#1064862: ruby-rack-cors: CVE-2024-27456
has caused the Debian Bug report #1064862,
regarding ruby-rack-cors: CVE-2024-27456
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1064862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064862
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: ruby-rack-cors
Version: 2.0.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/cyu/rack-cors/issues/274
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for ruby-rack-cors.

CVE-2024-27456[0]:
| rack-cors (aka Rack CORS Middleware) 2.0.1 has 0666 permissions for
| the .rb files.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-27456
    https://www.cve.org/CVERecord?id=CVE-2024-27456
[1] https://github.com/cyu/rack-cors/issues/274

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Hi,

On Mon, Feb 26, 2024 at 08:43:06PM +0100, Salvatore Bonaccorso wrote:
> Source: ruby-rack-cors
> Version: 2.0.1-2
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/cyu/rack-cors/issues/274
> X-Debbugs-Cc: car...@debian.org, Debian Security Team 
> <t...@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for ruby-rack-cors.
> 
> CVE-2024-27456[0]:
> | rack-cors (aka Rack CORS Middleware) 2.0.1 has 0666 permissions for
> | the .rb files.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Turns out we can close this, as it only affects upstream build but the
permissions in the Debian package are correct.

Regards,
Salvatore

--- End Message ---

_______________________________________________
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers