Hi Antonio, On Wed, Jul 29, 2015 at 08:46:16PM -0300, Antonio Terceiro wrote: > > On Sat, Jun 27, 2015 at 10:23:31PM +0200, Christian Hofstaedtler wrote: > > Salvatore, > > > > * Salvatore Bonaccorso <car...@debian.org> [150627 13:57]: > > > Source: ruby2.1 > > > Version: 2.1.5-1 > > > Severity: important > > > Tags: security upstream patch fixed-upstream > > > > > > the following vulnerability was published for ruby2.1. > > > > > > CVE-2015-3900[0]: > > > | RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before > > > | 2.4.7 does not validate the hostname when fetching gems or making API > > > | request, which allows remote attackers to redirect requests to > > > | arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack > > > | attack." > > > > Thank you for bringing this to our attention. I suspect upstream > > will upgrade to 2.2.5 (on the ruby 2.1 branch) in the next few days, > > and then I'd like to import that, if nobody objects. > > upstream didn't do that until now, so I want to upload the attached > debdiff to jessie-security. > > the ruby packages are maintained with patches applied in git, so the > metadata is not visible in the debdiff. I applied these two commits, > cherry-picked from rubygems upstream (funny enough that they apply > cleanly on top of the ruby source): > > http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=9b945cadc3b157829a60debff1dd5c536644f9b2 > http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=61f89c1e7b7ac864d840686aa7824eb04cba5cff > > Salvatore, please let me know if I can upload to jessie-security. > I will make similar uploads to unstable for both ruby2.1 and ruby2.2.
The debdiff itself looks good to me (btw, for security upload use urgency=high for consistency). Looking at the security-tracker, https://security-tracker.debian.org/tracker/CVE-2015-3900 we had marked this as no-dsa with the following comment, [jessie] - ruby2.1 <no-dsa> (Minor issue, can be coupled with a future Ruby DSA) So I suggest to either wait for a more urgent update for ruby2.1 to be targeted via a jessie-security update or ask stable release managers to schedule it via a jessie-pu. Fine with you? Btw, there is https://security-tracker.debian.org/tracker/CVE-2009-5147 (but which stil hass a TODO item, so needs to be checked if this affects ruby2.1 at all, so it as well has no decision yet about dsa/no-dsa). Regards, Salvatore
signature.asc
Description: Digital signature
