[DRE-maint] Bug#1024274: rails: CVE-2022-3704: XSS within Route Error Page

Source: rails Version: 2:6.1.7+dfsg-2 Severity: important Tags: security upstream Forwarded: https://github.com/rails/rails/issues/46244 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for rails. CVE-2022-3704[0]: | A vulnerability classified

[DRE-maint] Bug#1024799: ruby3.1: CVE-2021-33621

Source: ruby3.1 Version: 3.1.2-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: clone -1 -2 Control: reassign -2 src:ruby3.0 3.0.4-8 Control: retitle -2 ruby3.0: CVE-2021-33621 Hi, The following vulnerability was published for ruby. CV

[DRE-maint] Bug#1025125: ruby-sinatra: CVE-2022-45442: Reflected File Download attack

Source: ruby-sinatra Version: 2.2.2-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-sinatra. CVE-2022-45442[0]: | Sinatra is a domain-specific language for creating web applications in | Ruby.

[DRE-maint] Bug#1029832: ruby-rack: CVE-2022-44570 CVE-2022-44571 CVE-2022-44572

Source: ruby-rack Version: 2.2.4-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for ruby-rack. CVE-2022-44570[0]: | rack: Fix ReDoS in Rack::Utils.get_byte_ranges CVE-2022-44571[1]: | rack: Fix Re

[DRE-maint] Bug#1029851: ruby-globalid: CVE-2023-22799

Source: ruby-globalid Version: 0.6.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-globalid. CVE-2023-22799[0]: | Possible ReDoS based DoS vulnerability in GlobalID If you fix the vulne

[DRE-maint] Bug#1030047: ruby-sanitize: diff for NMU version 6.0.0-1.1

pload. + * Update tests to remove deprecated minitest 'must_be' + * Forcibly escape content in "unescaped text" elements inside math or svg +namespaces + * Always remove `` elements (CVE-2023-23627) (Closes: #1030047) + + -- Salvatore Bonaccorso Mon, 20 Feb 2023 20:28:45 +0100

[DRE-maint] Bug#1032803: ruby-rack: CVE-2023-27530

Source: ruby-rack Version: 2.2.4-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-rack. CVE-2023-27530[0]: | A DoS vulnerability exists in Rack

[DRE-maint] Bug#1033262: rails: CVE-2023-28120

Source: rails Version: 2:6.1.7+dfsg-3 Severity: important X-Debbugs-Cc: car...@debian.org Hi, The following vulnerability was published for rails. CVE-2023-28120[0]: | Possible XSS Security Vulnerability in SafeBuffer#bytesplice If you fix the vulnerability please also make sure to include the

[DRE-maint] Bug#1033263: rails: CVE-2023-23913

Source: rails Version: 2:6.1.7+dfsg-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for rails. CVE-2023-23913[0]: | DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML | Elements

[DRE-maint] Bug#1033264: ruby-rack: CVE-2023-27539

Source: ruby-rack Version: 2.2.4-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-rack. CVE-2023-27539[0]: | Possible Denial of Service Vulnerability in Rack’s header parsing If you fix th

[DRE-maint] Bug#1001817: rails: CVE-2021-44528: Possible Open Redirect in Host Authorization Middleware

Source: rails Version: 2:6.1.4.1+dfsg-8 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2:6.0.3.7+dfsg-2 Hi, The following vulnerability was published for rails. CVE-2021-44528[0]: | Possible Open Redirect in Host Authorization

[DRE-maint] Bug#1002995: ruby3.0: CVE-2021-41816 CVE-2021-41817 CVE-2021-41819

Source: ruby3.0 Version: 3.0.2-5 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for ruby3.0, they were fixed upstream in 3.0.3. CVE-2021-41816[0]: | Buffer Overrun in CGI.escape_html CVE-2021-41817[

[DRE-maint] Bug#1004193: ruby-sidekiq: CVE-2022-23837

Source: ruby-sidekiq Version: 6.3.1+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-sidekiq. CVE-2022-23837[0]: | In api.rb in Sidekiq before 6.4.0, there is no limit on the number of

[DRE-maint] Bug#1005389: rails: CVE-2022-23633

Source: rails Version: 2:6.1.4.1+dfsg-8 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2:6.0.3.7+dfsg-2 Hi, The following vulnerability was published for rails. CVE-2022-23633[0]: | Action Pack is a framework for handling and

[DRE-maint] Bug#1005391: puma: CVE-2022-23634

Source: puma Version: 5.5.2-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for puma. CVE-2022-23634[0]: | Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` | version `5.6.2`, `

[DRE-maint] Bug#1007225: ruby-image-processing: CVE-2022-24720

Source: ruby-image-processing Version: 1.10.3-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-image-processing. CVE-2022-24720[0]: | image_processing is an image processing wrapper for libvips

[DRE-maint] Bug#1009787: ruby-nokogiri: CVE-2022-24836: Inefficient Regular Expression Complexity

Source: ruby-nokogiri Version: 1.13.1+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-nokogiri. CVE-2022-24836[0]: | Nokogiri is an open source XML and HTML library for Ruby. Nokogiri

[DRE-maint] Bug#1009926: ruby-git: CVE-2022-25648

Source: ruby-git Version: 1.9.1-1 Severity: important Tags: security upstream Forwarded: https://github.com/ruby-git/ruby-git/pull/569 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-git. CVE-2022-25648[0]: | The package git before 1.

[DRE-maint] Bug#1009956: ruby3.0: CVE-2022-28739

Source: ruby3.0 Version: 3.0.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: clone -1 -2 Control: reassign -2 src:ruby2.7 2.7.5-1 Control: retitle -2 ruby2.7: CVE-2022-28739 Hi, The following vulnerability was published for ruby3.0 (

[DRE-maint] Bug#1009958: ruby3.0: CVE-2022-28738

Source: ruby3.0 Version: 3.0.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby3.0. CVE-2022-28738[0]: | Double free in Regexp compilation If you fix the vulnerability please also make sur

[DRE-maint] Bug#1013806: ruby-rails-html-sanitizer: CVE-2022-32209

Source: ruby-rails-html-sanitizer Version: 1.4.2-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-rails-html-sanitizer. CVE-2022-32209[0]: | # Possible XSS Vulnerability in Rails::Html::San

Re: [DRE-maint] Accepted ruby-rack 2.2.6.4-1 (source) into unstable

Source: ruby-rack Source-Version: 2.2.6.4-1 On Sat, Mar 25, 2023 at 02:39:38PM +, Debian FTP Masters wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Format: 1.8 > Date: Fri, 24 Mar 2023 01:32:43 +0530 > Source: ruby-rack > Architecture: source > Version: 2.2.6.4-1 > Distributio

Re: [DRE-maint] Accepted rails 2:6.1.7.3+dfsg-1 (source) into unstable

Source: rails Source-Version: 2:6.1.7.3+dfsg-1 Can close with it as well 1033262 and 1033263, doing so manually. Regards, Salvatore On Sat, Mar 25, 2023 at 10:49:26PM +, Debian FTP Masters wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Format: 1.8 > Date: Sat, 25 Mar 2023 23

[DRE-maint] Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

Hi LTS team, On Wed, Jun 07, 2023 at 08:44:53AM +0200, Bernhard Schmidt wrote: > Package: libruby2.5 > Version: 2.5.5-3+deb10u5 > Severity: grave > > Hi, > > I can't quite figure out why, but the latest security upload of ruby2.5 in > Buster breaks the ability of the puppet agent to pull files f

[DRE-maint] Bug#1038408: ruby3.1: CVE-2023-28755 CVE-2023-28756

Source: ruby3.1 Version: 3.1.2-7 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for ruby3.1. CVE-2023-28755[0]: | A ReDoS issue was discovered in the URI component through 0.12.0 in | Ruby throug

[DRE-maint] Bug#1043432: ruby-protocol-http1: CVE-2023-38697

Source: ruby-protocol-http1 Version: 0.14.6-1 Severity: important Tags: security upstream Forwarded: https://github.com/socketry/protocol-http1/pull/20 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-protocol-http1. CVE-2023-38697[0]:

[DRE-maint] Bug#1050079: puma: CVE-2023-40175: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Source: puma Version: 5.6.5-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 6.0.2-1 Hi, The following vulnerability was published for puma. CVE-2023-40175[0]: | Puma is a Ruby/Rack web server built for parallelism. Prior to |

[DRE-maint] Bug#1051057: rails: CVE-2023-38037

Source: rails Version: 2:6.1.7.3+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for rails. CVE-2023-38037[0]: Active Support Possibly Discloses Locally Encrypted Files If you fix the vulner

[DRE-maint] Bug#1051058: rails: CVE-2023-28362

Source: rails Version: 2:6.1.7.3+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for rails. CVE-2023-28362[0]: | Possible XSS via User Supplied Values to redirect_to If you fix the vulnerabi

[DRE-maint] Bug#1055474: redmine: CVE-2023-47258 CVE-2023-47259 CVE-2023-47260

Source: redmine Version: 5.0.4-7 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for redmine. CVE-2023-47258[0]: | Redmine before 4.2.11 and 5.0.x before 5.0.6 allows

[DRE-maint] Bug#1060345: puma: CVE-2024-21647: Invalid parsing of chunked encoding in HTTP/1.1 allows DoS attacks

Source: puma Version: 5.6.7-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for puma. CVE-2024-21647[0]: | Puma is a web server for Ruby/Rack applications built for | parallelism. Prior to version

[DRE-maint] Bug#1060345: puma: CVE-2024-21647: Invalid parsing of chunked encoding in HTTP/1.1 allows DoS attacks

Source: puma Source-Version: 6.4.2-1 On Tue, Jan 09, 2024 at 10:15:07PM +0100, Salvatore Bonaccorso wrote: > Source: puma > Version: 5.6.7-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi, > > T

[DRE-maint] Bug#1064862: ruby-rack-cors: CVE-2024-27456

Source: ruby-rack-cors Version: 2.0.1-2 Severity: important Tags: security upstream Forwarded: https://github.com/cyu/rack-cors/issues/274 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-rack-cors. CVE-2024-27456[0]: | rack-cors (aka

[DRE-maint] Bug#1065118: yard: CVE-2024-27285

Source: yard Version: 0.9.34-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 0.9.28-2 Control: found -1 0.9.24-1 Hi, The following vulnerability was published for yard. CVE-2024-27285[0]: | YARD is a Ruby Documentation tool.

[DRE-maint] Bug#1065119: rails: CVE-2024-26144

Source: rails Version: 2:6.1.7.3+dfsg-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for rails. CVE-2024-26144[0]: | Rails is a web-application framework. Starting with version 5.2.0, | there is a

[DRE-maint] Bug#1067802: ruby3.2: CVE-2024-27281

Source: ruby3.2 Version: 3.2.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: clone -1 -2 Control: reassign -2 src:ruby3.1 3.1.2-8 Control: retitle -2 ruby3.1: CVE-2024-27281 Control: found -2 3.1.2-7 Hi, The following vulnerability w

[DRE-maint] Bug#1068150: ruby-carrierwave: CVE-2023-49090

Source: ruby-carrierwave Version: 1.3.2-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-carrierwave. CVE-2023-49090[0]: | CarrierWave is a solution for file uploads for Rails, Sinatra and

[DRE-maint] Bug#1069966: ruby3.1: CVE-2024-27280: Buffer overread vulnerability in StringIO

Source: ruby3.1 Version: 3.1.2-8 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 3.1.2-7 Hi, The following vulnerability was published for ruby3.1. CVE-2024-27280[0]: | Buffer overread vulnerabilit

[DRE-maint] Bug#1069968: ruby3.2: CVE-2024-27282

Source: ruby3.2 Version: 3.2.3-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: clone -1 -2 Control: reassign -2 src;ruby3.1 3.1.2-8 Control: retitle -2 ruby3.1: CVE-2024-27282 Control: found -2 3.1.2-7 Hi,

[DRE-maint] Bug#1070004: ruby-sidekiq: CVE-2024-32887

Package: ruby-sidekiq Version: 7.2.1+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team The following vulnerability was published for ruby-sidekiq. It only affects the experimental version, as the issue was intro

[DRE-maint] Bug#982551: ruby-carrierwave: CVE-2021-21305

Source: ruby-carrierwave Version: 1.3.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-carrierwave. CVE-2021-21305[0]: | CarrierWave is an open-source RubyGem which provides a simple and

[DRE-maint] Bug#982552: ruby-carrierwave: CVE-2021-21288

Source: ruby-carrierwave Version: 1.3.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-carrierwave. CVE-2021-21288[0]: | CarrierWave is an open-source RubyGem which provides a simple and

[DRE-maint] Bug#985569: ruby-kramdown: CVE-2021-28834

Source: ruby-kramdown Version: 2.3.0-4 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/gettalong/kramdown/pull/708 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-kramdown. CVE-2

[DRE-maint] Bug#986806: CVE-2021-28965

Hi, On Sat, Apr 17, 2021 at 10:34:24PM +0530, Pirate Praveen wrote: > > > On Sat, Apr 17, 2021 at 10:16 pm, Utkarsh Gupta wrote: > > Makes sense. Probably the time to RM ruby-rexml from the archive is > > *now*? > > Requested removal from archive in #987101 Thanks for filling the removal! I

[DRE-maint] Bug#986806: CVE-2021-28965

Hi Pirate, On Sun, Apr 18, 2021 at 10:26:31PM +0530, Pirate Praveen wrote: > On Sun, 18 Apr 2021 15:04:56 +0200 Salvatore Bonaccorso > wrote: > > Hi, > > > > On Sat, Apr 17, 2021 at 10:34:24PM +0530, Pirate Praveen wrote: > > > > > > > > > On Sa

[DRE-maint] Bug#964274: ruby-websocket-extensions: CVE-2020-7663

Hi Andreas, On Wed, May 05, 2021 at 09:57:09PM +0200, Andreas Beckmann wrote: > Followup-For: Bug #964274 > > Hi, > > CVE-2020-7663 is fixed in stretch-security but not buster, making > upgrades difficult since stetch-security has a newer version than buster. > Please upload the fix to buster, t

[DRE-maint] Bug#989054: puma: CVE-2021-29509: Keepalive Connections Causing Denial Of Service in puma

Source: puma Version: 4.3.6-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for puma, it is caused due to an incomplete fix for CVE-2019-16770. CVE-2021-29509[0]: | Pu

[DRE-maint] Bug#990577: ruby-bindata: CVE-2021-32823

Source: ruby-bindata Version: 2.4.8-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ruby-bindata. CVE-2021-32823[0]: | In the bindata RubyGem before version 2.4.10 there is a potential | denial

[DRE-maint] Bug#988214: Bug#989037: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Hi Utkarsh, On Fri, Jun 18, 2021 at 10:23:39PM +0200, Paul Gevers wrote: > Hi Utkarsh > > On 06-06-2021 06:14, Paul Gevers wrote: > > I am hoping it's possible to just downgrade the *dependency* in rails > > only, such that the upload can happen via unstable. There is no "direct > > bullseye" rou

[DRE-maint] Bug#992586: rails: CVE-2021-22942: Possible Open Redirect in Host Authorization Middleware

Source: rails Version: 2:6.0.3.7+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for rails. CVE-2021-22942[0]: | Possible Open Redirect in Host Authorization Middleware If you fix the vulnera

[DRE-maint] Bug#993251: ruby-kramdown: Package kramdown vanished without notice or transitional package

Hi, On Tue, Aug 31, 2021 at 09:30:17PM +0530, Pirate Praveen wrote: > On Sun, 29 Aug 2021 13:05:04 +0200 Axel Beckert wrote: > > Package: ruby-kramdown > > Version: 2.3.1-2 > > > > Hi, > > > > aptitude refused to upgrade ruby-kramdown initially, because I have the > > package "kramdown" installed

[DRE-maint] Bug#998417: redmine: CVE-2021-42326

Source: redmine Version: 4.0.7-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for redmine. CVE-2021-42326[0]: | Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclo

[DRE-maint] Bug#998676: RM: chromium/93.0.4577.82-1

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: car...@debian.org,t...@security.debian.org,chrom...@packages.debian.org,mgilb...@debian.org,riku.voi...@linaro.org,mic...@lebihan.pl,pkg-ruby-extras-maintain...@lists.alioth.debian.

[DRE-maint] Bug#900066: gitlab: 500 error on merge request creation

Hi, On Sat, May 26, 2018 at 06:25:40PM +0530, Pirate Praveen wrote: > On Saturday 26 May 2018 03:34 PM, Simon Vetter wrote: > > Awesome, thank you for your prompt reply. > > > > In the meantime and assuming the fix is in non-compiled code (i.e. > > ruby), would you mind sharing a patch here so I

[DRE-maint] Bug#900133: open-build-service: CVE-2017-5188: worker VM escape via relative symbolic links

Source: open-build-service Version: 2.7.1-10 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for open-build-service. CVE-2017-5188[0]: | The bs_worker code in open build service before 20170320 followed | relative symlinks,

[DRE-maint] Bug#900178: ruby-rails-admin: CVE-2017-12098

Source: ruby-rails-admin Version: 0.8.1+dfsg-3 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://github.com/sferik/rails_admin/issues/2985 Hi, The following vulnerability was published for ruby-rails-admin. CVE-2017-12098[0]: | An exploitable cros

[DRE-maint] Bug#903086: ruby-grape: CVE-2018-3769: Default formatter error can cause XSS rendering issue

Source: ruby-grape Version: 1.0.3-1 Severity: important Tags: patch security upstream Forwarded: https://github.com/ruby-grape/grape/issues/1762 Hi, The following vulnerability was published for ruby-grape. CVE-2018-3769[0]: | ruby-grape ruby gem suffers from a cross-site scripting (XSS) | vulne

[DRE-maint] Bug#901913: ruby-sprockets: diff for NMU version 3.7.0-1.1

pload. + * Do not respond to http requests asking for a `file://` (CVE-2018-3760) +(Closes: #901913) + + -- Salvatore Bonaccorso Thu, 05 Jul 2018 23:29:49 +0200 + ruby-sprockets (3.7.0-1) unstable; urgency=medium * Team upload diff -Nru ruby-sprockets-3.7.0/debian/patches/Do-not-respond-to

[DRE-maint] Bug#903796: open-build-service: CVE-2018-7688

Source: open-build-service Version: 2.7.4-2 Severity: important Tags: security upstream Forwarded: https://bugzilla.suse.com/show_bug.cgi?id=1094820 Hi, The following vulnerability was published for open-build-service. CVE-2018-7688[0]: | A missing permission check in the review handling of open

[DRE-maint] Bug#903797: open-build-service: CVE-2018-7689

Source: open-build-service Version: 2.7.4-2 Severity: grave Tags: security upstream Forwarded: https://bugzilla.suse.com/show_bug.cgi?id=1094819 Hi, The following vulnerability was published for open-build-service. CVE-2018-7689[0]: | Lack of permission checks in the InitializeDevelPackage funct

[DRE-maint] Bug#903980: ruby-doorkeeper: CVE-2018-1000211: Public apps can't revoke OAuth access & refresh tokens in Doorkeeper

Source: ruby-doorkeeper Version: 4.2.0-1 Severity: grave Tags: security upstream Forwarded: https://github.com/doorkeeper-gem/doorkeeper/issues/891 Hi, The following vulnerability was published for ruby-doorkeeper. CVE-2018-1000211[0]: | Doorkeeper version 4.2.0 and later contains a Incorrect Ac

[DRE-maint] Bug#904026: gitlab: CVE-2018-14364

Source: gitlab Version: 8.9.0+dfsg-1 Severity: grave Tags: security upstream Hi, The following vulnerability was published for gitlab. CVE-2018-14364[0]: Remote Code Execution Vulnerability in GitLab Projects Import If you fix the vulnerability please also make sure to include the CVE (Common V

[DRE-maint] Bug#892250: ruby-rack-protection: diff for NMU version 1.5.3-2.1

+ruby-rack-protection (1.5.3-2.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Moritz Muehlenhoff ] + * CVE-2018-1000119 (Closes: #892250) + + -- Salvatore Bonaccorso Fri, 20 Jul 2018 05:52:12 +0200 + ruby-rack-protection (1.5.3-2) unstable; urgency=medium * Team upload. diff

[DRE-maint] Bug#893610: closed by Pirate Praveen (Bug#893610: fixed in ruby-sanitize 4.6.5-1)

Hi! On Wed, Jun 13, 2018 at 11:39:07AM +, Debian Bug Tracking System wrote: > ruby-sanitize (4.6.5-1) experimental; urgency=medium [...] >[ Pirate Praveen ] >* New upstream version 4.6.5 (Closes: #893610) (Fixes: CVE-2018-3740) Any plans for moving this to unstable, or is anything bl

[DRE-maint] Bug#893610: closed by Pirate Praveen (Bug#893610: fixed in ruby-sanitize 4.6.5-1)

Hi, On Tue, Jul 31, 2018 at 03:09:52PM +0530, Pirate Praveen wrote: > On 29/07/18 12:04 PM, Salvatore Bonaccorso wrote: > > Any plans for moving this to unstable, or is anything blocking it? > > ruby-gollum-lib needs an update along with ruby-sanitize, but this > ruby-goll

[DRE-maint] Bug#909933: jekyll: CVE-2018-17567: bypass of symlink checking

Source: jekyll Version: 3.8.3+dfsg-3 Severity: grave Tags: patch security upstream Forwarded: https://github.com/jekyll/jekyll/pull/7224 Control: found -1 3.1.6+dfsg-3 Hi, The following vulnerability was published for jekyll. CVE-2018-17567[0]: | Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.

[DRE-maint] Bug#903797: open-build-service: CVE-2018-7689

Hi Andrew, On Fri, Oct 19, 2018 at 05:43:53PM +0800, Andrew Lee wrote: > Source: open-build-service > Followup-For: Bug #903797 > > > This seems only for the 2.9.x versions. Our currently version of > open-build-service is 2.7.4. Can you shed some light on that? Why would the missing permision

[DRE-maint] Bug#911918: ruby-openssl: CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly

Source: ruby-openssl Version: 2.1.1-1 Severity: grave Tags: patch security upstream Justification: user security hole Control: clone -1 -2 Control: retitle -2 ruby2.5: CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly Control: reassign -2 ruby2.5 2.5.1-6 Hi, The followin

[DRE-maint] Bug#911920: ruby2.5: CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives

Source: ruby2.5 Version: 2.5.1-6 Severity: grave Tags: patch security upstream Justification: user security hole Hi, The following vulnerability was published for ruby2.5. CVE-2018-16396[0]: Tainted flags are not propagated in Array#pack and String#unpack with some directives If you fix the vu

[DRE-maint] Bug#912398: ruby-loofah: CVE-2018-16468

Source: ruby-loofah Version: 2.2.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/flavorjones/loofah/issues/154 Hi, The following vulnerability was published for ruby-loofah. CVE-2018-16468[0]: | In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may

[DRE-maint] Bug#913003: ruby-rack: CVE-2018-16470: Possible DoS vulnerability in Rack

Source: ruby-rack Version: 2.0.5-1 Severity: grave Tags: patch security upstream Hi, The following vulnerability was published for ruby-rack, which is only affecting experimental version. Filling with RC severity as the vulernable version should not enter unstable. CVE-2018-16470[0]: Possible Do

[DRE-maint] Bug#913005: ruby-rack: CVE-2018-16471: Possible XSS vulnerability in Rack

Source: ruby-rack Version: 1.6.4-4 Severity: grave Tags: patch security upstream Hi, The following vulnerability was published for ruby-rack. CVE-2018-16471[0]: Possible XSS vulnerability in Rack If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exp

[DRE-maint] Bug#913093: ruby-i18n: CVE-2014-10077

Source: ruby-i18n Version: 0.7.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/svenfuchs/i18n/pull/289 Hi, The following vulnerability was published for ruby-i18n. CVE-2014-10077[0]: | Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 | for Ruby a

[DRE-maint] Bug#913005: ruby-rack: CVE-2018-16471: Possible XSS vulnerability in Rack

Hi Chris, On Mon, Nov 19, 2018 at 03:17:27AM -0500, Chris Lamb wrote: > Chris Lamb wrote: > > > Security team, like ruby-i18n, I would be more than happy to prepare > > and upload a stable security upload of this package when addressing > > it in jessie LTS. > […] > > Ruby team, again, I could ea

[DRE-maint] Bug#914166: gitlab: CVE-2018-19359: Unauthorized service template creation

Source: gitlab Version: 10.8.7+dfsg-1 Severity: grave Tags: security upstream Hi, The following vulnerability was published for gitlab. CVE-2018-19359[0]: Unauthorized service template creation If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Expos

[DRE-maint] Bug#914847: rails: CVE-2018-16476: Broken Access Control vulnerability in Active Job

Source: rails Version: 2:4.2.7.1-1 Severity: important Tags: patch security upstream Control: found -1 2:4.2.10-1 Hi, The following vulnerability was published for rails. CVE-2018-16476[0]: Broken Access Control vulnerability in Active Job If you fix the vulnerability please also make sure to i

[DRE-maint] Bug#914848: rails: CVE-2018-16477: Bypass vulnerability in Active Storage

Source: rails Version: 2:5.2.0+dfsg-1 Severity: grave Tags: security upstream Hi, The following vulnerability was published for rails, and only affecting 5.2.0 version. CVE-2018-16477[0]: Bypass vulnerability in Active Storage If you fix the vulnerability please also make sure to include the CV

[DRE-maint] Bug#918086: gitlab: CVE-2018-20488 CVE-2018-20489 CVE-2018-20490 CVE-2018-20491 CVE-2018-20492 CVE-2018-20493 CVE-2018-20494 CVE-2018-20495 CVE-2018-20496 CVE-2018-20497 CVE-2018-20498 CVE

Source: gitlab Version: 11.5.5+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 11.6.0+dfsg-1 Hi, The following vulnerabilities were published for gitlab, fixed in the 11.6.1, 11.5.6, and 11.4.13 versions, cf [15]. CVE-2018-20488[0]: Secret CI va

[DRE-maint] Bug#919822: gitlab: CVE-2019-6240: Arbitrary repo read in Gitlab project import

Source: gitlab Version: 11.5.6+dfsg-1 Severity: grave Tags: security upstream fixed-upstream Justification: user security hole Hi, The following vulnerability was published for gitlab, and fixed in 11.6.4, 11.5.7, and 11.4.14. CVE-2019-6240[0]: RESERVED If you fix the vulnerability please also

[DRE-maint] Bug#921059: gitlab: CVE-2019-6781 CVE-2019-6782 CVE-2019-6783 CVE-2019-6784 CVE-2019-6785 CVE-2019-6786 CVE-2019-6787 CVE-2019-6788 CVE-2019-6789 CVE-2019-6790 CVE-2019-6791 CVE-2019-6792

Source: gitlab Version: 11.5.7+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Hi See https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ for details to the announce and fixes in 11.7.3, 11.6.8, and 11.5.10. Regards, Salvatore __

[DRE-maint] Bug#924447: gitlab: CVE-2019-9170 CVE-2019-9171 CVE-2019-9172 CVE-2019-9174 CVE-2019-9175 CVE-2019-9176 CVE-2019-9178 CVE-2019-9179 CVE-2019-9217 CVE-2019-9219 CVE-2019-9220 CVE-2019-9221

Source: gitlab Version: 11.5.10+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 11.8.0-1 Hi, The following vulnerabilities were published for gitlab, filling for tracking purpose. CVE-2019-9170[0]: IDOR milestone name information disclosure CVE

[DRE-maint] Bug#924520: rails: CVE-2019-5418 CVE-2019-5419

Source: rails Version: 2:5.2.2+dfsg-6 Severity: important Tags: security upstream Control: found -1 2:5.2.2+dfsg-5 Control: found -1 2:4.2.7.1-1 Hi, The following vulnerabilities were published for rails. CVE-2019-5418[0]: File Content Disclosure in Action View CVE-2019-5419[1]: Denial of Servi

[DRE-maint] Bug#924521: rails: CVE-2019-5420

Source: rails Version: 2:5.2.2+dfsg-6 Severity: important Tags: security upstream Control: found -1 2:5.2.2+dfsg-5 Hi, The following vulnerability was published for rails. CVE-2019-5420[0]: Possible Remote Code Execution Exploit in Rails Development Mode If you fix the vulnerability please also

[DRE-maint] Bug#921767: CVE-2018-12029

3 +1,13 @@ +passenger (5.0.30-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * arbitrary file read via REVISION symlink (CVE-2017-16355) +(Closes: #884463) + * Fix privilege escalation in the Nginx module (CVE-2018-12029) +(Closes: #921767) + + -- Salvatore Bonaccorso Sat,

[DRE-maint] Bug#884463: passenger: CVE-2017-16355: arbitrary file read

* Fix privilege escalation in the Nginx module (CVE-2018-12029) +(Closes: #921767) + + -- Salvatore Bonaccorso Sat, 16 Mar 2019 08:54:26 +0100 + passenger (5.0.30-1) unstable; urgency=medium * New upstream release. diff -Nru passenger-5.0.30/debian/patches/CVE-2017-16355.patch passenger-5

[DRE-maint] Bug#924747: ruby-doorkeeper-openid-connect: CVE-2019-9837

Source: ruby-doorkeeper-openid-connect Version: 1.5.2-1 Severity: grave Tags: security upstream Forwarded: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/61 Hi, The following vulnerability was published for ruby-doorkeeper-openid-connect. CVE-2019-9837[0]: | Doorkeeper::Openi

[DRE-maint] Bug#921767: passenger: diff for NMU version 5.0.30-1.1

-2017-16355) +(Closes: #884463) + * Fix privilege escalation in the Nginx module (CVE-2018-12029) +(Closes: #921767) + + -- Salvatore Bonaccorso Sat, 16 Mar 2019 08:54:26 +0100 + passenger (5.0.30-1) unstable; urgency=medium * New upstream release. diff -Nru passenger-5.0.30/debian/pa

[DRE-maint] Bug#925196: gitlab: CVE-2019-9866: Project Runner Token Exposed Through Issues Quick Actions

Source: gitlab Version: 11.8.2-3 Severity: grave Tags: security upstream Hi, The following vulnerability was published for gitlab. CVE-2019-9866[0]: Project Runner Token Exposed Through Issues Quick Actions If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabil

[DRE-maint] Bug#926348: ruby-devise: CVE-2019-5421

Source: ruby-devise Version: 4.5.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/plataformatec/devise/issues/4981 Hi, The following vulnerability was published for ruby-devise. CVE-2019-5421[0]: | Plataformatec Devise version 4.5.0 and earlier, using the lockable |

[DRE-maint] Bug#926482: gitlab: CVE-2018-5158 CVE-2019-10109 CVE-2019-10110 CVE-2019-10111 CVE-2019-10113 CVE-2019-10115 CVE-2019-10116 CVE-2019-10640

Source: gitlab Version: 11.8.3-1 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerabilities were published for gitlab, fixed upstream in the 11.9.4, 11.8.6, and 11.7.10 releases. CVE-2018-5158[0]: | The PDF viewer does not sufficiently sanitize Po

[DRE-maint] Bug#928221: gitlab: CVE-2019-11544 CVE-2019-11546 CVE-2019-11547 CVE-2019-11548 CVE-2019-11549

Source: gitlab Version: 11.8.6+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerabilities were published for gitlab. CVE-2019-11544[0]: Notification Emails Sent to Restricted Users CVE-2019-11546[1]: Merge Request Approval Count Inflation

[DRE-maint] Bug#930004: gitlab: CVE-2019-12428 CVE-2019-12431 CVE-2019-12432 CVE-2019-12433 CVE-2019-12434 CVE-2019-12441 CVE-2019-12442 CVE-2019-12443 CVE-2019-12444 CVE-2019-12445 CVE-2019-12446

Source: gitlab Version: 11.8.10+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerabilities were published for gitlab, see [11] for a complete listing. CVE-2019-12428[0]: Mandatory External Authentication Provider Sign-In Restrictions Bypass

[DRE-maint] Bug#930388: ruby-openid: CVE-2019-11027

Source: ruby-openid Version: 2.7.0debian-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/openid/ruby-openid/issues/122 Hi, The following vulnerability was published for ruby-openid. CVE-2019-11027[0]: | Ruby OpenID (aka ruby-openid) throu

[DRE-maint] Bug#931932: CVE-2019-13574

Hi, On Fri, Jul 12, 2019 at 03:58:05PM +0200, Moritz Muehlenhoff wrote: > Package: ruby-mini-magick > Severity: grave > Tags: security > > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13574 FTR, for stretch and buster adressed this in DSA 4481-1. For sid/bullseye might be s

[DRE-maint] Bug#931932: ruby-mini-magick: diff for NMU version 4.9.2-1.1

ainer upload. + * Don't allow remote shell execution (CVE-2019-13574) (Closes: #931932) + + -- Salvatore Bonaccorso Sat, 13 Jul 2019 21:51:59 +0200 + ruby-mini-magick (4.9.2-1) unstable; urgency=medium * Team upload diff -Nru ruby-mini-magick-4.9.2/debian/patches/Don-t-allow-re

[DRE-maint] Bug#931932: fixed in ruby-mini-magick 4.9.2-1+deb10u1

Hey! On Wed, Jul 24, 2019 at 10:43:40AM +0530, Utkarsh Gupta wrote: > Hey Salvatore, > > On Tue, 16 Jul 2019 21:07:05 + Salvatore Bonaccorso > wrote: > > Source: ruby-mini-magick > > Source-Version: 4.9.2-1+deb10u1 > > > > We believe that the bug you rep

[DRE-maint] Bug#933785: gitlab: CVE-2019-5470 CVE-2019-5469 CVE-2019-5468 CVE-2019-5466 CVE-2019-5465 CVE-2019-5464 CVE-2019-5463 CVE-2019-5462 CVE-2019-5461

Source: gitlab Version: 11.8.10+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerabilities were published for gitlab, see [9]. CVE-2019-5470[0]: Information Disclosure Vulnerability Feedback CVE-2019-5469[1]: Arbitrary File Upload via Impo

[DRE-maint] Bug#934708: gitlab: CVE-2019-14942 CVE-2019-14944 (GitLab Critical Security Release: 12.1.6, 12.0.6, and 11.11.8)

Source: gitlab Version: 11.8.10+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerabilities were published for gitlab, another round of gitlab issues. Where this time only two CVE are affecting the versions present in Debian. CVE-2019-14942[

[DRE-maint] Bug#934802: ruby-nokogiri: CVE-2019-5477: command injection vulnerability

Source: ruby-nokogiri Version: 1.10.3+dfsg1-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/sparklemotion/nokogiri/issues/1915 Hi, The following vulnerability was published for ruby-nokogiri. CVE-2019-5477[0]: Command Injection Vulnerabil

Re: [DRE-maint] CVE-2019-5477: ruby-nokogiri issue caused by rexical

Hi Mike, On Fri, Aug 30, 2019 at 11:25:16AM +, Mike Gabriel wrote: > However, to address CVE-2019-5477 it should also be associated to the > rexical src:pkg in stretch and later. @security-team: can you please update > data/CVE/list appropriately (instead of me updating it and you correcting m

  1   2   >