Your message dated Sun, 10 Jul 2005 09:32:05 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#315064: fixed in ruby1.8 1.8.2-7sarge1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at maintonly) by bugs.debian.org; 20 Jun 2005 11:17:14 +0000
>From [EMAIL PROTECTED] Mon Jun 20 04:17:14 2005
Return-path: <[EMAIL PROTECTED]>
Received: from serio.al.rim.or.jp [202.247.191.123]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DkKHC-0006Ax-00; Mon, 20 Jun 2005 04:17:14 -0700
Received: from mail6
by serio.al.rim.or.jp (3.7W/HMX-13) id UAA10133
for <[EMAIL PROTECTED]>; Mon, 20 Jun 2005 20:17:12 +0900 (JST)
Received: from exploit (www.jp.debian.org [210.157.158.35]) by mail6
(8.9.3/3.7W)
id UAA15935 for <[EMAIL PROTECTED]>; Mon, 20 Jun 2005 20:17:11 +0900
(JST)
Date: Mon, 20 Jun 2005 20:16:25 +0900 (JST)
Message-Id: <[EMAIL PROTECTED]>
To: Debian Ruby Maintainers <[EMAIL PROTECTED]>
Subject: libruby1.8: arbitrary command execution on XMLRPC server
From: Nobuhiro IMAI <[EMAIL PROTECTED]>
X-Mailer: Mew version 4.2.53 on Emacs 22.0.50 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Multipart/Signed; protocol="application/pgp-signature";
micalg=pgp-sha1;
boundary="--Security_Multipart(Mon_Jun_20_20_16_25_2005_556)--"
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
----Security_Multipart(Mon_Jun_20_20_16_25_2005_556)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Package: libruby1.8
Version: 1.8.2-7
Severity: grave
Tags: security fixed-upstream
Please consider about this issue[1]. This has already been fixed on
upstream CVS r1.4[2][3], however, I don't have certain idea whether I
should treat this issue as a security issue or normal (but grave ;)
bug within Debian, so that I'm sending this report to [EMAIL PROTECTED]
at this time. If this should be treated as a security issue, please do
as such or let me know what can I do. Anyway, I'd like new packages to
be uploaded to security.d.o's sarge/updates (or similar) as well.
1. http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237
2.
http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/xmlrpc/utils.rb.diff?r1=1.3;r2=1.4
3. libruby1.9 (1.9.0+20050412-3) is also problematic.
Regards,
--
Nobuhiro IMAI <[EMAIL PROTECTED]>
Key fingerprint = F39E D552 545D 7C64 D690 F644 5A15 746C BD8E 7106
----Security_Multipart(Mon_Jun_20_20_16_25_2005_556)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBCtqWmWhV0bL2OcQYRAilnAJ0ZRr3/cCiskAac0IBtGB3t92uU1gCeIv0m
1HTHeSmlVha1XR9qBCoJcDg=
=wWrH
-----END PGP SIGNATURE-----
----Security_Multipart(Mon_Jun_20_20_16_25_2005_556)----
---------------------------------------
Received: (at 315064-close) by bugs.debian.org; 10 Jul 2005 13:40:11 +0000
>From [EMAIL PROTECTED] Sun Jul 10 06:40:11 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Drc2U-0002XT-00; Sun, 10 Jul 2005 06:40:10 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Drbuf-0002rA-00; Sun, 10 Jul 2005 09:32:05 -0400
From: akira yamada <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#315064: fixed in ruby1.8 1.8.2-7sarge1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sun, 10 Jul 2005 09:32:05 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: ruby1.8
Source-Version: 1.8.2-7sarge1
We believe that the bug you reported is fixed in the latest version of
ruby1.8, which is due to be installed in the Debian FTP archive:
irb1.8_1.8.2-7sarge1_all.deb
to pool/main/r/ruby1.8/irb1.8_1.8.2-7sarge1_all.deb
libdbm-ruby1.8_1.8.2-7sarge1_i386.deb
to pool/main/r/ruby1.8/libdbm-ruby1.8_1.8.2-7sarge1_i386.deb
libgdbm-ruby1.8_1.8.2-7sarge1_i386.deb
to pool/main/r/ruby1.8/libgdbm-ruby1.8_1.8.2-7sarge1_i386.deb
libopenssl-ruby1.8_1.8.2-7sarge1_i386.deb
to pool/main/r/ruby1.8/libopenssl-ruby1.8_1.8.2-7sarge1_i386.deb
libreadline-ruby1.8_1.8.2-7sarge1_i386.deb
to pool/main/r/ruby1.8/libreadline-ruby1.8_1.8.2-7sarge1_i386.deb
libruby1.8-dbg_1.8.2-7sarge1_i386.deb
to pool/main/r/ruby1.8/libruby1.8-dbg_1.8.2-7sarge1_i386.deb
libruby1.8_1.8.2-7sarge1_i386.deb
to pool/main/r/ruby1.8/libruby1.8_1.8.2-7sarge1_i386.deb
libtcltk-ruby1.8_1.8.2-7sarge1_i386.deb
to pool/main/r/ruby1.8/libtcltk-ruby1.8_1.8.2-7sarge1_i386.deb
rdoc1.8_1.8.2-7sarge1_all.deb
to pool/main/r/ruby1.8/rdoc1.8_1.8.2-7sarge1_all.deb
ri1.8_1.8.2-7sarge1_all.deb
to pool/main/r/ruby1.8/ri1.8_1.8.2-7sarge1_all.deb
ruby1.8-dev_1.8.2-7sarge1_i386.deb
to pool/main/r/ruby1.8/ruby1.8-dev_1.8.2-7sarge1_i386.deb
ruby1.8-elisp_1.8.2-7sarge1_all.deb
to pool/main/r/ruby1.8/ruby1.8-elisp_1.8.2-7sarge1_all.deb
ruby1.8-examples_1.8.2-7sarge1_all.deb
to pool/main/r/ruby1.8/ruby1.8-examples_1.8.2-7sarge1_all.deb
ruby1.8_1.8.2-7sarge1.diff.gz
to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge1.diff.gz
ruby1.8_1.8.2-7sarge1.dsc
to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge1.dsc
ruby1.8_1.8.2-7sarge1_i386.deb
to pool/main/r/ruby1.8/ruby1.8_1.8.2-7sarge1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
akira yamada <[EMAIL PROTECTED]> (supplier of updated ruby1.8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 8 Jul 2005 19:26:04 +0900
Source: ruby1.8
Binary: libtcltk-ruby1.8 libruby1.8-dbg rdoc1.8 libgdbm-ruby1.8 ruby1.8-dev
ruby1.8-elisp ruby1.8-examples libdbm-ruby1.8 irb1.8 ruby1.8
libreadline-ruby1.8 libopenssl-ruby1.8 libruby1.8 ri1.8
Architecture: source i386 all
Version: 1.8.2-7sarge1
Distribution: stable-security
Urgency: high
Maintainer: akira yamada <[EMAIL PROTECTED]>
Changed-By: akira yamada <[EMAIL PROTECTED]>
Description:
irb1.8 - Interactive Ruby (for Ruby 1.8)
libdbm-ruby1.8 - DBM interface for Ruby 1.8
libgdbm-ruby1.8 - GDBM interface for Ruby 1.8
libopenssl-ruby1.8 - OpenSSL interface for Ruby 1.8
libreadline-ruby1.8 - Readline interface for Ruby 1.8
libruby1.8 - Libraries necessary to run Ruby 1.8
libruby1.8-dbg - Debugging libraries for Ruby 1.8
libtcltk-ruby1.8 - Tcl/Tk interface for Ruby 1.8
rdoc1.8 - Generate documentation from Ruby source files (for Ruby 1.8)
ri1.8 - Ruby Interactive reference (for Ruby 1.8)
ruby1.8 - Interpreter of object-oriented scripting language Ruby 1.8
ruby1.8-dev - Header files for compiling extension modules for the Ruby 1.8
ruby1.8-elisp - ruby-mode for Emacsen
ruby1.8-examples - Examples for Ruby 1.8
Closes: 315064
Changes:
ruby1.8 (1.8.2-7sarge1) stable-security; urgency=high
.
* akira yamada <[EMAIL PROTECTED]>
- added debian/patches/802_xmlrpc_util.rb.patch:
- (urgency high) fixed arbitrary command execution on XMLRPC server.
CAN-2005-1992 [ruby-core:5237] (closes: #315064)
Files:
d14377473cdeb0a26538b6137faa5c66 1024 interpreters optional
ruby1.8_1.8.2-7sarge1.dsc
25de3bdf1775f90246f76e50a6aba24a 529167 interpreters optional
ruby1.8_1.8.2-7sarge1.diff.gz
09a9272d40c33d8405609c0e0ce9f6ff 151160 interpreters optional
ruby1.8_1.8.2-7sarge1_i386.deb
1ee770bca87a88e399c8c4f77a3ccfdf 1349126 libs optional
libruby1.8_1.8.2-7sarge1_i386.deb
1c4eacc0d440daf346b9840ff4906a02 757634 libdevel extra
libruby1.8-dbg_1.8.2-7sarge1_i386.deb
5ff7f6069562d4552425b42d5f36a44b 621934 devel optional
ruby1.8-dev_1.8.2-7sarge1_i386.deb
e3bd1cfa5f649d7a20bb51ef66a348de 134530 interpreters optional
libdbm-ruby1.8_1.8.2-7sarge1_i386.deb
9d2429dc457718bd993150d535b72992 135784 interpreters optional
libgdbm-ruby1.8_1.8.2-7sarge1_i386.deb
3b90f35710b1f797ca33ec942bbdc061 131534 interpreters optional
libreadline-ruby1.8_1.8.2-7sarge1_i386.deb
16ebd5860eb7ce78e2c5207269abd1ae 1439660 interpreters optional
libtcltk-ruby1.8_1.8.2-7sarge1_i386.deb
3b87ea10a0cc9caebc2fdb6b57298dae 224488 interpreters optional
libopenssl-ruby1.8_1.8.2-7sarge1_i386.deb
b08d57bed7996624c1a601e866329fc0 216196 interpreters optional
ruby1.8-examples_1.8.2-7sarge1_all.deb
bcf34b40ab001265127728099452f800 142196 interpreters optional
ruby1.8-elisp_1.8.2-7sarge1_all.deb
f9004f2fedac63615c50bf6dab046fda 704400 interpreters optional
ri1.8_1.8.2-7sarge1_all.deb
47a6c5a62e9f73f4a34d04824874bc99 234004 doc optional
rdoc1.8_1.8.2-7sarge1_all.deb
60511fe4d9427eaf5a1d8df2ecba2e36 166072 interpreters optional
irb1.8_1.8.2-7sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCzln5XzkxpuIT8aARAglLAJ9RWfpmOXwmhiwKF75KoJ/nY+qzIACcC6zy
PbjLNtbjkD4SdQtEK1Nb1qo=
=/bpB
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
