Your message dated Sun, 24 Mar 2019 12:05:54 +0000
with message-id <e1h81sw-0002qk...@fasolo.debian.org>
and subject line Bug#924747: fixed in ruby-doorkeeper-openid-connect 1.5.5-1
has caused the Debian Bug report #924747,
regarding ruby-doorkeeper-openid-connect: CVE-2019-9837
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
924747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924747
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-doorkeeper-openid-connect
Version: 1.5.2-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/61
Hi,
The following vulnerability was published for ruby-doorkeeper-openid-connect.
CVE-2019-9837[0]:
| Doorkeeper::OpenidConnect (aka the OpenID Connect extension for
| Doorkeeper) 1.4.x and 1.5.x before 1.5.4 has an open redirect via the
| redirect_uri field in an OAuth authorization request (that results in
| an error response) with the 'openid' scope and a prompt=none value.
| This allows phishing attacks against the authorization flow.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9837
[1] https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/61
[2] https://github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/66
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-doorkeeper-openid-connect
Source-Version: 1.5.5-1
We believe that the bug you reported is fixed in the latest version of
ruby-doorkeeper-openid-connect, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <guptautkarsh2...@gmail.com> (supplier of updated
ruby-doorkeeper-openid-connect package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 24 Mar 2019 16:22:22 +0530
Source: ruby-doorkeeper-openid-connect
Binary: ruby-doorkeeper-openid-connect
Architecture: source
Version: 1.5.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <guptautkarsh2...@gmail.com>
Description:
ruby-doorkeeper-openid-connect - OpenID Connect extension for Doorkeeper
Closes: 924747
Changes:
ruby-doorkeeper-openid-connect (1.5.5-1) unstable; urgency=medium
.
* Team upload
* New upstream version 1.5.5 (Fixes: CVE-2019-9837) (Closes: #924747)
* Update d/watch to point GitHub
* Bump Standards-Version to 4.3.0 (no changes needed)
* Fix insecure URL
Checksums-Sha1:
acc41853f821d4abcbb8700aea6accaf180dcaae 2296
ruby-doorkeeper-openid-connect_1.5.5-1.dsc
7a54a103d1f39e033dad230ebaa7d50e379f122c 41327
ruby-doorkeeper-openid-connect_1.5.5.orig.tar.gz
a58f264821761c6873aa4c42c9923f841a1fc474 2240
ruby-doorkeeper-openid-connect_1.5.5-1.debian.tar.xz
76290bf0a109ab7b15393923fbb537817ba78e15 8083
ruby-doorkeeper-openid-connect_1.5.5-1_source.buildinfo
Checksums-Sha256:
a3489327be91cf69716e79304e06ac81ee90db0dc4b0279a4d1c757b4cfa48b5 2296
ruby-doorkeeper-openid-connect_1.5.5-1.dsc
2a55352a36ed5e8fc67f8744f89b93ae3998e7b4368444616bed3562eeb93af7 41327
ruby-doorkeeper-openid-connect_1.5.5.orig.tar.gz
31155c26b77da4f8b540a820a347e6f167d2284ecf0c597c19513e7cf8178fd5 2240
ruby-doorkeeper-openid-connect_1.5.5-1.debian.tar.xz
d11711c8068342ebf50b97278fcc0971ec6918e0bbe19caa6bdb555d28b786cf 8083
ruby-doorkeeper-openid-connect_1.5.5-1_source.buildinfo
Files:
a68b49d8a14d6338aacd5f2bb69a88c6 2296 ruby optional
ruby-doorkeeper-openid-connect_1.5.5-1.dsc
5a855e5c4867b7946d02d17612c32380 41327 ruby optional
ruby-doorkeeper-openid-connect_1.5.5.orig.tar.gz
22386a7247a4779c6328d1c405ec55f7 2240 ruby optional
ruby-doorkeeper-openid-connect_1.5.5-1.debian.tar.xz
6b3162f1953fae3005141d3b32b71bb6 8083 ruby optional
ruby-doorkeeper-openid-connect_1.5.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlyXbHUACgkQzh+cZ0US
wioCIRAAnWUm0kDM6sGP/ZPAHW+/xxY1W14MrWGP4wKnTKywli8l0IdEen3XmYGP
AjHmeepQjDefKgfdCaJbS8Q89TufTb37ihCaZhV2NDSae6a3B+hi91oElPCK5Vri
/ad4UhqmG3nkNe1/HlhP5C3I1c2qoXZff9TVHiwIGJsfA492NNZI/bvEUBX+P/hm
uOn4jz3X1a3SW/envtFcB0yo6F+lZWdlQO8Ctscgm+/VXE3AvueVdb55T1BPn2pu
BF1yepZf96mZXhnchiip8IERG523HA2BIO2heQXZN4gZmUmXNO1udwj66Rigu7aV
IdIdZABugyDaqIMvrWMTBuXSDQAAs/rjE1sSLb5deG6700wdbmYSJJmUq8WYvyJG
2zmQgYFUGXncTv9dGtA1QyBwPrQyisJWGoQzBO3Ltx6E2aGHgm74TPsDDY+B66BX
/lUwQdCiEmmwebwkqFKduCgaCcQ3D0xlJwt0dGnwe/Ymxm70JtwwmFiwFSL98ztz
JfMMHe8U561L4v+yiFxYMugJwwV2Kdkk3yW3HHiZXTL21Qj84qdOCIFyw6RPjgFM
EUr7RkRlSIr1md+TwhYYN/cjIq9QqMuhNdcPLgorOS9YZoBplCftzB51vZ77iqP0
RDjq5KaGc+SJPYEOW4yWFP0R+0AlB7FjOVJgllSuOfUQ9XWar1I=
=kQ/i
-----END PGP SIGNATURE-----
--- End Message ---
