Your message dated Tue, 28 Feb 2017 16:20:21 +0000 with message-id <e1cikvh-000izn...@fasolo.debian.org> and subject line Bug#856269: fixed in ruby-zip 1.2.0-1.1 has caused the Debian Bug report #856269, regarding ruby-zip: CVE-2017-5946 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 856269: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856269 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-zip Version: 1.1.6-1 Severity: grave Tags: upstream patch security Forwarded: https://github.com/rubyzip/rubyzip/issues/315 Hi, the following vulnerability was published for ruby-zip. CVE-2017-5946[0]: | The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a | directory traversal vulnerability. If a site allows uploading of .zip | files, an attacker can upload a malicious file that uses "../" pathname | substrings to write arbitrary files to the filesystem. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-5946 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5946 [1] https://github.com/rubyzip/rubyzip/issues/315 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-zip Source-Version: 1.2.0-1.1 We believe that the bug you reported is fixed in the latest version of ruby-zip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 856...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated ruby-zip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 27 Feb 2017 17:38:59 +0100 Source: ruby-zip Binary: ruby-zip Architecture: source Version: 1.2.0-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 856269 Description: ruby-zip - Ruby module for reading and writing zip files Changes: ruby-zip (1.2.0-1.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2017-5946: directory traversal vulnerability in Zip::File component (Closes: #856269) Checksums-Sha1: 7180f1c4682d02a494fa574bf4aa23919b97e76f 2204 ruby-zip_1.2.0-1.1.dsc 9151aee7ffaa08a67918f390ef097bd109b58007 5048 ruby-zip_1.2.0-1.1.debian.tar.xz fbcad998054295cd2220b1cf37e57fec66356eb6 5580 ruby-zip_1.2.0-1.1_source.buildinfo Checksums-Sha256: 25597b7bda7896ea1b543ff7aabd99530dd0e72fe3e32fb62b324edecef4f8f5 2204 ruby-zip_1.2.0-1.1.dsc 724f74dce824504d2e09118023a06d07ebfbf0483274690b00e86efa59523ee1 5048 ruby-zip_1.2.0-1.1.debian.tar.xz e244ef356af7cdd3c6cce84e3d42f8a88c068a8bf1bd75a267023270bf34abcb 5580 ruby-zip_1.2.0-1.1_source.buildinfo Files: de0b707efb688caa4df3c0c027d41fe2 2204 ruby optional ruby-zip_1.2.0-1.1.dsc 2dded5db4939e6bbd8a7edff6427fd69 5048 ruby optional ruby-zip_1.2.0-1.1.debian.tar.xz 6759c36222eb3ed963ff29d1771f15fe 5580 ruby optional ruby-zip_1.2.0-1.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAli1IndfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENNwP/jspttKNiT82KyH3b8wUMN5NnIbNWcuj ogzrB6+ZEVw78en9UgL3dZuL4C8YI1PK1toNPc7wrHircqxJ4e33/MIcEEgUSuwY B+itENS15XTSNsCfXbquEox4RHUXdhwLODLktrl7PPYFoJ4rH5yTy5AUqiZr+eUi yj7s5NkuiI7VUaPo5HPAutKRRdqDZfaLuXYLIBGT+PyQAm40df0b6KOUBWtzIWG3 sCs821coZqddhOxlRTCI7vveKUQoGnBq0k1Cv4HoCAS2T/BEFvdOyrQMQuR6XAuy K3OGu3mPEBegHnibEN7ff1swKsEqJgdllDgsVBH2Q73pCJN5HNvLwn/ZofMIJENy F7k7gWN/UIFIvNx1uLhGyn+81fIfkLEBHRwqvduL4tHHnLt3ynFl6QUkRjS/FHqK KNGd/8tHrWanE8MIyw0+uppvRdATefv8uqb6m9uTPNgVtAXqFM7jTH+Rld+pjPyU zfqpkJsoc1xWPMI5wsaLKHPQVLAdjpNtDFYSJmCu2j8On93F37boxJK/fm+VoPus KpVvp1DukvYAuBOzzrX0ux2QCyrbJE5NrXxiOWuq/6GA9tYmZVTX0M8vl9n2gzag BgbAldubnF8N4Kq4c2eyeBDe2ltWB8J/9eL2911AGhCJWDq1knPAIR6U1FLXDDD1 nIuuDFwWwYcl =ZDPi -----END PGP SIGNATURE-----
--- End Message ---
