Your message dated Wed, 07 Jul 2021 21:33:52 +0000 with message-id <e1m1fb2-000218...@fasolo.debian.org> and subject line Bug#990791: fixed in ruby-addressable 2.7.0-2 has caused the Debian Bug report #990791, regarding ruby-addressable: CVE-2021-32740 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 990791: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990791 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-addressable X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for ruby-addressable. CVE-2021-32740[0]: | Addressable is an alternative implementation to the URI implementation | that is part of Ruby's standard library. An uncontrolled resource | consumption vulnerability exists after version 2.3.0 through version | 2.7.0. Within the URI template implementation in Addressable, a | maliciously crafted template may result in uncontrolled resource | consumption, leading to denial of service when matched against a URI. | In typical usage, templates would not normally be read from untrusted | user input, but nonetheless, no previous security advisory for | Addressable has cautioned against doing this. Users of the parsing | capabilities in Addressable but not the URI template capabilities are | unaffected. The vulnerability is patched in version 2.8.0. As a | workaround, only create Template objects from trusted sources that | have been validated not to produce catastrophic backtracking. https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g https://github.com/sporkmonger/addressable/commit/b48ff03347a6d46e8dc674e242ce74c6381962a5#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32740 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32740 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: ruby-addressable Source-Version: 2.7.0-2 Done: Pirate Praveen <prav...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-addressable, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 990...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pirate Praveen <prav...@debian.org> (supplier of updated ruby-addressable package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 08 Jul 2021 02:39:52 +0530 Source: ruby-addressable Architecture: source Version: 2.7.0-2 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Pirate Praveen <prav...@debian.org> Closes: 990791 Changes: ruby-addressable (2.7.0-2) unstable; urgency=medium . * Team Upload . [ Debian Janitor ] * Update standards version to 4.4.1, no changes needed. . [ Cédric Boutillier ] * Update team name * Add .gitattributes to keep unwanted files out of the source package . [ Debian Janitor ] * Update watch file format version to 4. * Set upstream metadata fields: Bug-Submit. * Update standards version to 4.5.0, no changes needed. . [ Pirate Praveen ] * Backport patch to Prevent ReDOS vuln on URI Template matching from new upstream version (Closes: #990791) (Fixes: CVE-2021-32740) * Bump Standards-Version to 4.5.1 (no changes needed) Checksums-Sha1: d6e52c867113f7471333a79917ab831bd2b60193 2240 ruby-addressable_2.7.0-2.dsc 7ecbc3543af574b847a681f5859cbb4ac67250a3 5192 ruby-addressable_2.7.0-2.debian.tar.xz c524c958b435d6e89aac38f736058e5d03134dd1 10177 ruby-addressable_2.7.0-2_amd64.buildinfo Checksums-Sha256: 2c57028e681ff7ac668a48beea967c8e413b8bfa78a17e44906075ef4d4ac1e7 2240 ruby-addressable_2.7.0-2.dsc 7dded86f1dc7c0581cafb644b6769c3dc398024f40f18686e4d32b2663abb2ae 5192 ruby-addressable_2.7.0-2.debian.tar.xz f62f6a9dc5ab3b6946de518aa6b4e342638df11a9a838ec5fce152bb6e864470 10177 ruby-addressable_2.7.0-2_amd64.buildinfo Files: f0e706f7dc1119fd0ef1f9e4c1d2bd2a 2240 ruby optional ruby-addressable_2.7.0-2.dsc b756591239187d84cda06c19f2ab4c14 5192 ruby optional ruby-addressable_2.7.0-2.debian.tar.xz 24fc19659bf3f372b543154c11cee10c 10177 ruby optional ruby-addressable_2.7.0-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAmDmGbMACgkQj1PgGTsp S3UrHw/9HB8uH5vNGq1OP4OCjK26OlM6sff2v+Pa+lek784WXfbZcUrT8P9gnoIz wlfWu124baIEySMlNr/jY79/7ne9tqjnp4HJDMRocwRB02ztYlYC3NUUKPGGmDFs 8TuQ0PGIDCD7TL0ExCXCQ3M0FbQ5Bc6epICqO6S574MYYc9DHPRiD6cfIdZpUkO7 C31gHKu2+ZRYtRuBpkcUzf/vX4aSr6hWNYmp5l3g4uqs54RRsJW5heTJeZ5rL8xZ +QEHsbKBdAcOAuufAd3+HEPyRwtXpTDLWVSEcLlS5HB8XQoZdrqeov1NcKMkos+m IHjOHI35gQf5L0KJFndDVcQ5idB0d4VKvSMEleKYbCjKGXfQjSb4WMf3Y5bqEzwT NUx+bBBDtubZoD06OA2qJ/xcyOw5eti42psTU3znnwuT5OrGFORx7DrRy97ll/le +yaeAvvgWnT1DTsX7f8Hm7KnSCE104YuMYta5D0cVkYTh0sph+81K1OD4iX9DjhY i7yBoWf5pnIg5EKV9DscjznoJ6vnY/VsP4D9Ufi5Z3R8Pk/xz7rPh+JOnmQMrski RGoAmYJrUEgOHQILxn481xAzsc1H0PbE8q0pE0hMXAmwmKZVSDynPKxSi5K3o1Js 6NubpFB8GfZB8Y3tq2nD228bbqzxCFX/arG4JCySRjEbAeeL1gw= =Q98i -----END PGP SIGNATURE-----
--- End Message ---
