Your message dated Wed, 5 Mar 2008 20:50:57 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#469482: Bug#469475: ruby1.8: File access vulnerability
of WEBrick
has caused the Debian Bug report #469482,
regarding ruby1.9: File access vulnerability of WEBrick
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
469482: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469482
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: ruby1.9
Version: 1.9.0+20071016-1
Severity: grave
Tags: security
Justification: user security hole
WEBrick, a standard library of Ruby to implement HTTP servers, has file
access vulnerability[1]. Attackers may access private files. The fixed
versions have been released by the upstream.
Vulnerable versions
1.8 series
* 1.8.4 and all prior versions
* 1.8.5-p114 and all prior versions (etch)
* 1.8.6-p113 and all prior versions (testing)
1.9 series
* 1.9.0-1 and all prior versions (etch and testing)
[1]
http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable'), (90, 'unstable'), (1,
'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=ja_JP.eucJP, LC_CTYPE=ja_JP.eucJP (charmap=EUC-JP)
Shell: /bin/sh linked to /bin/bash
Versions of packages ruby1.9 depends on:
ii libc6 2.7-6 GNU C Library: Shared libraries
ii libruby1.9 1.9.0+20071016-1 Libraries necessary to run Ruby 1.
ruby1.9 recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On 05/03/08 at 15:15 +0100, Thijs Kinkhorst wrote:
> On Wednesday 5 March 2008 13:59, Daigo Moriwaki wrote:
> > WEBrick, a standard library of Ruby to implement HTTP servers, has file
> > access vulnerability[1]. Attackers may access private files. The fixed
> > versions have been released by the upstream.
>
> Hi,
>
> I read on [1] the following:
>
> | Affected systems are:
> |
> | 1. Systems that accept backslash (\) as a path separator, such as Windows.
> | 2. Systems that use case insensitive filesystems such as NTFS on Windows,
> | HFS on Mac OS X.
>
> I'm marking these issues as not-vulnerable in Debian according to this
> information.
OK, so no need to prepare updates for other versions of ruby. I'm
closing the bug in ruby1.9.
--
| Lucas Nussbaum
| [EMAIL PROTECTED] http://www.lucas-nussbaum.net/ |
| jabber: [EMAIL PROTECTED] GPG: 1024D/023B3F4F |
signature.asc
Description: Digital signature
--- End Message ---
