Your message dated Wed, 29 Nov 2017 09:02:46 +0000 with message-id <e1ejygu-00065l...@fasolo.debian.org> and subject line Bug#881445: fixed in ruby-ox 2.1.1-2+deb9u1 has caused the Debian Bug report #881445, regarding ruby-ox: CVE-2017-15928: Segmentation fault in the parse_obj to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 881445: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-ox Version: 2.1.1-2 Severity: grave Tags: security upstream Forwarded: https://github.com/ohler55/ox/issues/194 Hi, the following vulnerability was published for ruby-ox. Rationale for RC severity: think the issue warrants to be adressed for the next stable release. The issue itself possibly though does not warrant a DSA on it's own for stretch and jessie. CVE-2017-15928[0]: | In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation | fault when a crafted input is supplied to parse_obj. NOTE: the vendor | has stated "Ox should handle the error more gracefully" but has not | confirmed a security implication. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-15928 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15928 [1] https://github.com/ohler55/ox/issues/194 [2] https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-ox Source-Version: 2.1.1-2+deb9u1 We believe that the bug you reported is fixed in the latest version of ruby-ox, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 881...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Cédric Boutillier <bou...@debian.org> (supplier of updated ruby-ox package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 26 Nov 2017 01:08:40 +0100 Source: ruby-ox Binary: ruby-ox Architecture: source Version: 2.1.1-2+deb9u1 Distribution: stretch Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Cédric Boutillier <bou...@debian.org> Description: ruby-ox - fast XML parser and object serializer Closes: 881445 Changes: ruby-ox (2.1.1-2+deb9u1) stretch; urgency=medium . * Team upload * Add fix_parse_obj_segfault.patch picked from upstream + fix CVE-2017-15928: segmentation fault in parse_obj (Closes: #881445) Checksums-Sha1: ce1354c48a93f2d0c2e40212e901f249c9ec65db 1659 ruby-ox_2.1.1-2+deb9u1.dsc 64352a5bb4aff2ffde864a064b59c1277b1a0f6d 3760 ruby-ox_2.1.1-2+deb9u1.debian.tar.xz Checksums-Sha256: 65b13cbf0bb840743af9c7707e856fa0bf56d54175081b571f88d08751c16bbb 1659 ruby-ox_2.1.1-2+deb9u1.dsc 4be6f4b56616d7b386ba6e722960cc44f8bef7d98c87a27598e9cc3ab50730a4 3760 ruby-ox_2.1.1-2+deb9u1.debian.tar.xz Files: 3f05e3f0b6b916a3b5cae62b9c39ef46 1659 ruby optional ruby-ox_2.1.1-2+deb9u1.dsc f4d7c39e084b5a1d6278bbf0a5506397 3760 ruby optional ruby-ox_2.1.1-2+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEnM1rMZ2/jkCrGr0aia+CtznNIXoFAlobOKoACgkQia+CtznN IXpAHggApMd2uQPCEii5VJgD1aL18ElgnCeZmcJhm+8yPwO7V2ROhwLeRQhNQpyC YRzuNqG6PbwN6kBgB1ebze+RvcPPYyb/BYsctxBjMf58x0op8Zv9Pgk4yUMjokjC pf4UU+UZqHaFrufwaMo39q96iyhZUT9B4YbHZGlKygICWbOeTZG5je4xvhTE7Pqa /5BVN6UtwLkrdLawfHGcQ7Q0cEz9U2u372hjEyfmEsPhwU3FHx0MOu1GYoZpOfef dfnqQjxYWbxtPzGIC5c9bNnvbVMPyI+2Y6f0hKYrVSbCxYJ4/Kkh1Uqyw2brr3o1 o225EyN9hg4EpXYi3/81ivo1cOlZJw== =wZWi -----END PGP SIGNATURE-----
--- End Message ---
