Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Hi Emilio, On Fri, Jul 10, 2020 at 11:27 PM Emilio Pozuelo Monfort wrote: > On 10/07/2020 19:49, Utkarsh Gupta wrote: > They got reverted here: > > commit 41a5070e43be50edc80c35082caa1a5005b06131 > Author: Branislav Makuch > Date: Wed Jul 1 13:31:49 2020 + > > Revert "Merge branch 'master' of salsa.debian.org:webmaster-team/webwml" > > This reverts commit 6bcdcddbc8ba89d14541d46617fc456725f69b29 > > Probably a mistake as it mentions commit 6bcdcd. I'd say just re-add your > changes, revert that revert :-) Aw, crap :/ Many thanks, reverted the revert! \o/ Best, Utkarsh
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On 10/07/2020 19:49, Utkarsh Gupta wrote: > Hi, > > On Mon, Jul 6, 2020 at 1:40 PM Holger Levsen wrote: >> Three DLAs have been reserved but not yet been published on www.debian.org: >> LTS: >> >> - DLA 2269-1 (reserved by Utkarsh Gupta) >> - DLA 2270-1 (reserved by Utkarsh Gupta) >> - DLA 2271-1 (reserved by Utkarsh Gupta) > > This is weird. These DLAs were pushed on July 1st itself via [1][2][3]. > Not sure what went wrong!? They got reverted here: commit 41a5070e43be50edc80c35082caa1a5005b06131 Author: Branislav Makuch Date: Wed Jul 1 13:31:49 2020 + Revert "Merge branch 'master' of salsa.debian.org:webmaster-team/webwml" This reverts commit 6bcdcddbc8ba89d14541d46617fc456725f69b29 Probably a mistake as it mentions commit 6bcdcd. I'd say just re-add your changes, revert that revert :-) Cheers, Emilio > > > Best, > Utkarsh > --- > [1]: > https://salsa.debian.org/webmaster-team/webwml/-/commit/3fa826e876fd342ecabeeaa0da6f1d21dd6a6181 > [2]: > https://salsa.debian.org/webmaster-team/webwml/-/commit/16a084b6ad0a1fbe83ac7b57a162d83d0356a334 > [3]: > https://salsa.debian.org/webmaster-team/webwml/-/commit/e52b2777d771f308ecdb741698e624a5ce128745 >
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On Fri, Jul 10, 2020 at 11:19 PM Utkarsh Gupta wrote: > On Mon, Jul 6, 2020 at 1:40 PM Holger Levsen wrote: > > Three DLAs have been reserved but not yet been published on www.debian.org: > > LTS: > > > > - DLA 2269-1 (reserved by Utkarsh Gupta) > > - DLA 2270-1 (reserved by Utkarsh Gupta) > > - DLA 2271-1 (reserved by Utkarsh Gupta) > > This is weird. These DLAs were pushed on July 1st itself via [1][2][3]. > Not sure what went wrong!? Interesting. I can't seem them at https://www.debian.org/lts/security/. So they aren't published. Hm, I'll see what happened to them. In case someone has any clue, please let me know. Best, Utkarsh
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Hi, On Mon, Jul 6, 2020 at 1:40 PM Holger Levsen wrote: > Three DLAs have been reserved but not yet been published on www.debian.org: > LTS: > > - DLA 2269-1 (reserved by Utkarsh Gupta) > - DLA 2270-1 (reserved by Utkarsh Gupta) > - DLA 2271-1 (reserved by Utkarsh Gupta) This is weird. These DLAs were pushed on July 1st itself via [1][2][3]. Not sure what went wrong!? Best, Utkarsh --- [1]: https://salsa.debian.org/webmaster-team/webwml/-/commit/3fa826e876fd342ecabeeaa0da6f1d21dd6a6181 [2]: https://salsa.debian.org/webmaster-team/webwml/-/commit/16a084b6ad0a1fbe83ac7b57a162d83d0356a334 [3]: https://salsa.debian.org/webmaster-team/webwml/-/commit/e52b2777d771f308ecdb741698e624a5ce128745
Re: rails update
Hi Antonio, On 08/07/2020 18:32, terce...@debian.org wrote: > On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: >> Back to the initial topic, the current tasks underway are: >> >> >> - stretch update review >> >> The update is ready: >> https://www.beuc.net/tmp/debian-lts/rails/ >> >> It includes an additional regression fix for CVE-2020-8163. >> https://security-tracker.debian.org/tracker/CVE-2020-8163 >> >> I requested upstream feedback but given that 4.x is EOL so far no luck. >> https://github.com/rails/rails/issues/39301#issuecomment-648885623 >> https://github.com/rails/rails/pull/39806 >> >> Hence we called for a review from a Ruby/Rails-savvy DD. >> (stretch moved from oldstable->LTS meanwhile, but the review would still >> be appreciated) >> Anyone up? >> >> >> - buster update >> >> I now "up-ported" my stretch work at: >> https://www.beuc.net/tmp/debian-lts/rails-buster/ >> + added the redis side of CVE-2020-8165 >> >> I believe I would do a disservice to the community if I did a one-time >> update masking possible problems with long-term maintenance, so I'm >> leaving the other CVEs to fix >> (cf. https://security-tracker.debian.org/tracker/source-package/rails) > > I looked briefly at both updates, and the new patches included in them > look sane and reasonable. Thanks for your review! Also my regression fix for CVE-2020-8163 (4.x) was merged: https://github.com/rails/rails/commit/0ecaaf76d1b79cf2717cdac754e55b4114ad6599 Cheers! Sylvain
Re: rails update
On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wrote: > Hi, > > On 10/07/2020 10:28, Moritz Mühlenhoff wrote: > > On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: > >> Hi, > >> > >> - buster update > >> > >> I now "up-ported" my stretch work at: > >> https://www.beuc.net/tmp/debian-lts/rails-buster/ > >> + added the redis side of CVE-2020-8165 > > > > What do you mean with up-ported? Applying a patch made for an older release > > to a more recent release will miss all code which wasn't present in > > the older suite. > > To phrase it more precisely, I went back to the upstream patches for > 5.2, applied them and unit-tested them. Ah, ok! I'll have a look at this over the weekend. Cheers, Moritz
Re: rails update
Hi, On 10/07/2020 10:28, Moritz Mühlenhoff wrote: > On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: >> Hi, >> >> - buster update >> >> I now "up-ported" my stretch work at: >> https://www.beuc.net/tmp/debian-lts/rails-buster/ >> + added the redis side of CVE-2020-8165 > > What do you mean with up-ported? Applying a patch made for an older release > to a more recent release will miss all code which wasn't present in > the older suite. To phrase it more precisely, I went back to the upstream patches for 5.2, applied them and unit-tested them. (debdiff.txt from the above URL attached for reference.) Cheers! Sylvain diff -Nru rails-5.2.2.1+dfsg/debian/changelog rails-5.2.2.1+dfsg/debian/changelog --- rails-5.2.2.1+dfsg/debian/changelog 2020-03-22 14:17:31.0 +0100 +++ rails-5.2.2.1+dfsg/debian/changelog 2020-07-08 11:38:00.0 +0200 @@ -1,3 +1,12 @@ +rails (2:5.2.2.1+dfsg-1+deb10u2) UNRELEASED; urgency=high + + [ Sylvain Beucler ] + * CVE-2020-8164: possible Strong Parameters Bypass in ActionPack + * CVE-2020-8165: potentially unintended unmarshalling of user-provided +objects in MemCacheStore and RedisCacheStore + + -- debian Wed, 08 Jul 2020 11:38:00 +0200 + rails (2:5.2.2.1+dfsg-1+deb10u1) buster; urgency=high * Team upload. diff -Nru rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8164.patch rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8164.patch --- rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8164.patch 1970-01-01 01:00:00.0 +0100 +++ rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8164.patch 2020-07-08 11:38:00.0 +0200 @@ -0,0 +1,48 @@ +Origin: https://github.com/rails/rails/commit/7a3ee4fea90b7555f8d09c6c05c15fe7ab5a06ec +Last-Update: 2029-07-08 +Reviewed-by: Sylvain Beucler + +From 7a3ee4fea90b7555f8d09c6c05c15fe7ab5a06ec Mon Sep 17 00:00:00 2001 +From: Jack McCracken +Date: Wed, 13 May 2020 15:25:12 -0400 +Subject: [PATCH] Return self when calling #each, #each_pair, and #each_value + instead of the raw @parameters hash + +[CVE-2020-8164] +--- + .../lib/action_controller/metal/strong_parameters.rb | 2 ++ + actionpack/test/controller/parameters/accessors_test.rb | 8 + 2 files changed, 10 insertions(+) + +diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb +index 510cb353b493..8532b21d94b0 100644 +--- a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb +@@ -337,6 +337,8 @@ def each_pair(&block) + @parameters.each_pair do |key, value| + yield [key, convert_hashes_to_parameters(key, value)] + end ++ ++ self + end + alias_method :each, :each_pair + +diff --git a/actionpack/test/controller/parameters/accessors_test.rb b/actionpack/test/controller/parameters/accessors_test.rb +index db9359876c9a..25a9cee0109e 100644 +--- a/actionpack/test/controller/parameters/accessors_test.rb b/actionpack/test/controller/parameters/accessors_test.rb +@@ -20,6 +20,14 @@ class ParametersAccessorsTest < ActiveSupport::TestCase + ) + end + ++ test "each returns self" do ++assert_same @params, @params.each { |_| _ } ++ end ++ ++ test "each_pair returns self" do ++assert_same @params, @params.each_pair { |_| _ } ++ end ++ + test "[] retains permitted status" do + @params.permit! + assert_predicate @params[:person], :permitted? diff -Nru rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8165.patch rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8165.patch --- rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8165.patch 1970-01-01 01:00:00.0 +0100 +++ rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8165.patch 2020-07-08 11:38:00.0 +0200 @@ -0,0 +1,293 @@ +Origin: https://github.com/rails/rails/commit/f7e077f85e61fc0b7381963eda0ceb0e457546b5 +Origin: https://github.com/rails/rails/commit/467e3399c9007996c03ffe3212689d48dd25ae99 +Last-Update: 2029-07-08 +Reviewed-by: Sylvain Beucler + +From f7e077f85e61fc0b7381963eda0ceb0e457546b5 Mon Sep 17 00:00:00 2001 +From: Dylan Thacker-Smith +Date: Sat, 22 Sep 2018 17:57:58 -0400 +Subject: [PATCH] activesupport: Avoid Marshal.load on raw cache value in + MemCacheStore + +Dalli is already being used for marshalling, so we should also rely +on it for unmarshalling. Since Dalli tags the cache value as marshalled +it can avoid unmarshalling a raw string which might have come from +an untrusted source. + +[CVE-2020-8165] + +From 467e3399c9007996c03ffe3212689d48dd25ae99 Mon Sep 17 00:00:00 2001 +From: Dylan Thacker-Smith +Date: Sat, 22 Sep 2018 21:17:07 -0400 +Subject: [PATCH] activesupport: Deprecate Marshal.load on raw cache read in + RedisCacheStore + +The same value for the `raw` option should be provided for both reading and +writing to avoid Marshal.load being called on untrusted data. + +[CVE-2020-8165] + +Index: rails-5.2.2.1+dfsg/activesupport/lib/active_support/cac
Re: rails update
On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: > Hi, > > - buster update > > I now "up-ported" my stretch work at: > https://www.beuc.net/tmp/debian-lts/rails-buster/ > + added the redis side of CVE-2020-8165 What do you mean with up-ported? Applying a patch made for an older release to a more recent release will miss all code which wasn't present in the older suite. Cheers, Moritz