Your message dated Sat, 22 Aug 2009 01:59:20 +0000 with message-id <e1meft2-0004df...@ries.debian.org> and subject line Bug#513528: fixed in ruby1.9 1.9.0.5-1 has caused the Debian Bug report #513528, regarding ruby1.9: Not properly checking the return value of OCSP_basic_verify to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 513528: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ruby1.9 Severity: serious Tags: security Hi, I was looking at return codes for applications making use of openssl functions and found this in ext/openssl/ossl_ocsp.c: result = OCSP_basic_verify(bs, x509s, x509st, flg); sk_X509_pop_free(x509s, X509_free); if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL)); return result ? Qtrue : Qfalse; OCSP_basic_verify() can return both 0 and -1 in error cases, so this function can incorrectly return information to the caller. I have no idea if what this code is used for and what the consequences of this might be. Kurt
--- End Message ---
--- Begin Message ---Source: ruby1.9 Source-Version: 1.9.0.5-1 We believe that the bug you reported is fixed in the latest version of ruby1.9, which is due to be installed in the Debian FTP archive: irb1.9_1.9.0.5-1_all.deb to pool/main/r/ruby1.9/irb1.9_1.9.0.5-1_all.deb libdbm-ruby1.9_1.9.0.5-1_amd64.deb to pool/main/r/ruby1.9/libdbm-ruby1.9_1.9.0.5-1_amd64.deb libgdbm-ruby1.9_1.9.0.5-1_amd64.deb to pool/main/r/ruby1.9/libgdbm-ruby1.9_1.9.0.5-1_amd64.deb libopenssl-ruby1.9_1.9.0.5-1_amd64.deb to pool/main/r/ruby1.9/libopenssl-ruby1.9_1.9.0.5-1_amd64.deb libreadline-ruby1.9_1.9.0.5-1_amd64.deb to pool/main/r/ruby1.9/libreadline-ruby1.9_1.9.0.5-1_amd64.deb libruby1.9-dbg_1.9.0.5-1_amd64.deb to pool/main/r/ruby1.9/libruby1.9-dbg_1.9.0.5-1_amd64.deb libruby1.9_1.9.0.5-1_amd64.deb to pool/main/r/ruby1.9/libruby1.9_1.9.0.5-1_amd64.deb libtcltk-ruby1.9_1.9.0.5-1_amd64.deb to pool/main/r/ruby1.9/libtcltk-ruby1.9_1.9.0.5-1_amd64.deb rdoc1.9_1.9.0.5-1_all.deb to pool/main/r/ruby1.9/rdoc1.9_1.9.0.5-1_all.deb ri1.9_1.9.0.5-1_all.deb to pool/main/r/ruby1.9/ri1.9_1.9.0.5-1_all.deb ruby1.9-dev_1.9.0.5-1_amd64.deb to pool/main/r/ruby1.9/ruby1.9-dev_1.9.0.5-1_amd64.deb ruby1.9-elisp_1.9.0.5-1_all.deb to pool/main/r/ruby1.9/ruby1.9-elisp_1.9.0.5-1_all.deb ruby1.9-examples_1.9.0.5-1_all.deb to pool/main/r/ruby1.9/ruby1.9-examples_1.9.0.5-1_all.deb ruby1.9_1.9.0.5-1.diff.gz to pool/main/r/ruby1.9/ruby1.9_1.9.0.5-1.diff.gz ruby1.9_1.9.0.5-1.dsc to pool/main/r/ruby1.9/ruby1.9_1.9.0.5-1.dsc ruby1.9_1.9.0.5-1_amd64.deb to pool/main/r/ruby1.9/ruby1.9_1.9.0.5-1_amd64.deb ruby1.9_1.9.0.5.orig.tar.gz to pool/main/r/ruby1.9/ruby1.9_1.9.0.5.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 513...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daigo Moriwaki <da...@debian.org> (supplier of updated ruby1.9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 22 Aug 2009 09:55:25 +0900 Source: ruby1.9 Binary: ruby1.9 libruby1.9 libruby1.9-dbg ruby1.9-dev libdbm-ruby1.9 libgdbm-ruby1.9 libreadline-ruby1.9 libtcltk-ruby1.9 libopenssl-ruby1.9 ruby1.9-examples ruby1.9-elisp ri1.9 rdoc1.9 irb1.9 Architecture: source all amd64 Version: 1.9.0.5-1 Distribution: unstable Urgency: low Maintainer: akira yamada <ak...@debian.org> Changed-By: Daigo Moriwaki <da...@debian.org> Description: irb1.9 - Interactive Ruby (for Ruby 1.9) libdbm-ruby1.9 - DBM interface for Ruby 1.9 libgdbm-ruby1.9 - GDBM interface for Ruby 1.9 libopenssl-ruby1.9 - OpenSSL interface for Ruby 1.9 libreadline-ruby1.9 - Readline interface for Ruby 1.9 libruby1.9 - Libraries necessary to run Ruby 1.9 libruby1.9-dbg - Debugging symbols for Ruby 1.9 libtcltk-ruby1.9 - Tcl/Tk interface for Ruby 1.9 rdoc1.9 - Generate documentation from Ruby source files (for Ruby 1.9) ri1.9 - Ruby Interactive reference (for Ruby 1.9) ruby1.9 - Interpreter of object-oriented scripting language Ruby 1.9 ruby1.9-dev - Header files for compiling extension modules for the Ruby 1.9 ruby1.9-elisp - ruby-mode for Emacsen ruby1.9-examples - Examples for Ruby 1.9 Closes: 510914 513528 514695 514696 532057 541026 Changes: ruby1.9 (1.9.0.5-1) unstable; urgency=low . [ Daigo Moriwaki ] * debian/watch: corrected to follow the new versioning by the upstream such as 1.9.1-p0.tar.gz * Added debian/patches/090301_r22440_OCSP_basic_verify.dpatch: It did not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate. [CVE-2009-0642] (Closes: #513528) * debian/rules: - fixshebang.sh runs on bash. - The upstream's COPYING* is no longer installed (due to Debian policy). That information is included in debian/copyright. * debian/patches/090803_exclude_rdoc.dpatch: ported from the ruby1.9.1 package. * debian/control: Added misc depends. * debian/compat: Bumpled up the version to 7. . [ Lucas Nussbaum ] * New upstream release. + *.inc updated. + no longer needed (were backports): - 101_parse_rb - 103_array_c_r17570_to_r17756 - 301_dns_spoofing_r18424 - 302_r18220_webrick_DoS - 303_r17726_syslog_safeleve4 - 304_r17577_trace_var_safeleve4 - 305_r18496_dl_tain - 306_r17586_methods_called_safelevel13 - 307_r19033_rexml_DoS - 308_regexp_segv - 930_zero_tainted + Refreshed: - 919_common.mk_tweaks + 102_skip_test_copy_stream: file changed upstream, might no longer be needed. * Fix building on lpia (Closes: #532057). * Disable the test suite on hppa since it blocks because of strange signal semantics. (Closes: #514695). * Agree with ftpmaster's overrides. * Bumped Standards-Version to 3.8.2. No changes needed. * Build-Depends on procps. Closes: #510914. * debian/fixshebang.sh: skip non-text files, which works around hanging of sed on scanning gif images. * Added 940_test_file_exhaustive_fails_as_root and 940_test_priority_fails to deal with test suite failures. * Added patch 940_test_thread_mutex_sync_shorter: makes test_mutex_synchronize much shorter to deal with slow arches. Closes: #514696. * Removed Fumitoshi UKAI <u...@debian.or.jp> from Uploaders. Thanks a lot for the past help! Closes: #541026. Checksums-Sha1: 8a4989249a77a12e7d303ab560f5d1d823da800e 1629 ruby1.9_1.9.0.5-1.dsc efe207006a9c084a88e631c9e441108a3fa566c7 7341741 ruby1.9_1.9.0.5.orig.tar.gz eaf5ee4ae002117d874dab0a90db98171cdd5f35 54403 ruby1.9_1.9.0.5-1.diff.gz e57c0964e120f767e6cb8d03fdafa5a131c4f009 553394 ruby1.9-examples_1.9.0.5-1_all.deb cc8c9190a391a0eb35226834343be3018672944e 519012 ruby1.9-elisp_1.9.0.5-1_all.deb 99df4d30563fbd3ba2fbbafe6f3f84734576db27 1535690 ri1.9_1.9.0.5-1_all.deb be0cd05a66cbfafd68b763ebfe2d3560f06b14fb 616678 rdoc1.9_1.9.0.5-1_all.deb bec84d49c2af222eaa4ae93e82d0d2771fd0508b 543668 irb1.9_1.9.0.5-1_all.deb 78535f0562e69ce81dfe4a72ac52a6cd534f47f3 520640 ruby1.9_1.9.0.5-1_amd64.deb bd5db4becdc72bc0932e3022d603b01ff31e5c39 5919634 libruby1.9_1.9.0.5-1_amd64.deb afc107a2375161c16cf0d01157647f71015e3c34 497324 libruby1.9-dbg_1.9.0.5-1_amd64.deb 55877b8a5492d6ea88bbf99ba87e0669b1baff9a 1466102 ruby1.9-dev_1.9.0.5-1_amd64.deb 2d1a0766cb6293d8980eecc55a072293af02021d 506066 libdbm-ruby1.9_1.9.0.5-1_amd64.deb d034817227835e3899f3e0cc0dd9fb816bb978e6 505090 libgdbm-ruby1.9_1.9.0.5-1_amd64.deb cff670fbd342435d55c594e7ab09a721c0bad07e 507918 libreadline-ruby1.9_1.9.0.5-1_amd64.deb 5649f3e895479c496c431f2f1166a30fbca1e19d 2230782 libtcltk-ruby1.9_1.9.0.5-1_amd64.deb c85bb99e72a94eab36b69d24ca3910e66537470e 628564 libopenssl-ruby1.9_1.9.0.5-1_amd64.deb Checksums-Sha256: ed6ba1021494c5c2e30b2dfa21803a6652988ffd4e3079172615ecb08994e60c 1629 ruby1.9_1.9.0.5-1.dsc a22dab43ef392ae57329823152f238d2b64cea09ff3eca087230d8c94e9bf8ea 7341741 ruby1.9_1.9.0.5.orig.tar.gz 66267456aa1e733bb7033ac5e7917adf85a07ed3f1671deaa7d8c0c4e111c3a2 54403 ruby1.9_1.9.0.5-1.diff.gz b824a8030796a1bde0ebb61e8018021a5643437526b06edbc916e3c0a14d31d6 553394 ruby1.9-examples_1.9.0.5-1_all.deb c148d407254c8017c74592f9fac733521b17363bb0420834458e02c8e69a7bc9 519012 ruby1.9-elisp_1.9.0.5-1_all.deb a114c38ed207fa79b6a3565dc6638bd48d5463bad1b5b970c35a2891c090dcce 1535690 ri1.9_1.9.0.5-1_all.deb 08903bdc0de33627dbaae22ae8eeea3af63e66775d4e2e90799bf6a07b7ee11c 616678 rdoc1.9_1.9.0.5-1_all.deb a5828c76595172091944db0c8183ff6ce62271d331b95e97f3efce561e92f651 543668 irb1.9_1.9.0.5-1_all.deb e13dcc06b58f91b446c8e55b2d35a203b7db66d69c567ef647b73e3a0c94b38f 520640 ruby1.9_1.9.0.5-1_amd64.deb 88b62174d3d04b706cb86876933e4dda9146c2d504e18a34c80a775cfc00fbd1 5919634 libruby1.9_1.9.0.5-1_amd64.deb f7410957a252df1466c928da23c48d560b37d400e78707af581b346ea5d41993 497324 libruby1.9-dbg_1.9.0.5-1_amd64.deb 71ec42414d50ceeefc3adc99dfd31765aca6be1c587e9563864fee38023c35a2 1466102 ruby1.9-dev_1.9.0.5-1_amd64.deb 7a3186fbd397397ea91a8dbaa0abe447dddd8e444ee3a41c63c41591a800d7ca 506066 libdbm-ruby1.9_1.9.0.5-1_amd64.deb 9b3c533d162346cf8a9391c8b1ceb518d0dc69f4f8ec9d74b233764ceff64e7a 505090 libgdbm-ruby1.9_1.9.0.5-1_amd64.deb 3cebb4d84342dbca70929ef2616cd60a73e66e43b27b0b996346feb1cc9136fb 507918 libreadline-ruby1.9_1.9.0.5-1_amd64.deb e34443b15b7710e3d518d72fd8d08f74ae42f064eaad951878c0b210f01d3fcb 2230782 libtcltk-ruby1.9_1.9.0.5-1_amd64.deb c043dad493cee872dbf46e3448e494d792c470b076ca7905e7fa697ee16ac547 628564 libopenssl-ruby1.9_1.9.0.5-1_amd64.deb Files: ed6512aeaa8de91ce1bda8de968d9d6a 1629 ruby optional ruby1.9_1.9.0.5-1.dsc d7fe45dbdce8ab4d6e5c0466246d1e94 7341741 ruby optional ruby1.9_1.9.0.5.orig.tar.gz 7bc996a4a3ca2269e12f201036bd810c 54403 ruby optional ruby1.9_1.9.0.5-1.diff.gz e778b3f72027d47e9d708dbebbba0dda 553394 ruby optional ruby1.9-examples_1.9.0.5-1_all.deb c38c3a53a58864919eab07be5c8f9504 519012 ruby optional ruby1.9-elisp_1.9.0.5-1_all.deb 4dbbcf5f896b3aa278ed26f599060ccb 1535690 ruby optional ri1.9_1.9.0.5-1_all.deb 384454a25665d3497090e2208e02dc87 616678 doc optional rdoc1.9_1.9.0.5-1_all.deb 3b6772c9e3ce8c002a0c4edecc77416a 543668 ruby optional irb1.9_1.9.0.5-1_all.deb 5899fada5a459f1c6f082af484d568da 520640 ruby optional ruby1.9_1.9.0.5-1_amd64.deb 65a18c3747bf011e53400a1153b4a9f5 5919634 ruby optional libruby1.9_1.9.0.5-1_amd64.deb c25734c4206d06782468f3b5f5edafc0 497324 debug extra libruby1.9-dbg_1.9.0.5-1_amd64.deb dd71442aefb5d37b13999050f4c10173 1466102 ruby optional ruby1.9-dev_1.9.0.5-1_amd64.deb b3ccff6884e870c2a67f2d2d2213396b 506066 ruby optional libdbm-ruby1.9_1.9.0.5-1_amd64.deb 2a46eb848ff2f744fcfb31a5e84719fa 505090 ruby optional libgdbm-ruby1.9_1.9.0.5-1_amd64.deb c7e46162fc8dc46569f7eba73346437d 507918 ruby optional libreadline-ruby1.9_1.9.0.5-1_amd64.deb 7e23dad117d5cb9f3244e48a9b39887b 2230782 ruby optional libtcltk-ruby1.9_1.9.0.5-1_amd64.deb d38790c7bdc1f1c92c767d099df6a027 628564 ruby optional libopenssl-ruby1.9_1.9.0.5-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkqPTWsACgkQNcPj+ukc0lCgfQCfa5SZBHU4QsV7/meWPJtun7Q5 /IUAoMeTH3kCHNPbqifG01qK7gmN4pwO =9NCr -----END PGP SIGNATURE-----
--- End Message ---
