Your message dated Sun, 24 Dec 2017 15:14:02 +0000 with message-id <e1et7yu-000cna...@fasolo.debian.org> and subject line Bug#884437: fixed in ruby2.5 2.5.0~rc1-1 has caused the Debian Bug report #884437, regarding ruby2.5: CVE-2017-17405: Command injection vulnerability in Net::FTP to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 884437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884437 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby2.5 Version: 2.5.0~preview1-1 Severity: grave Tags: patch security upstream fixed-upstream Control: clone -1 -2 Control: reassign -2 ruby2.3 2.3.5-1 Control: found -2 2.3.3-1 Control: retitle -2 ruby2.3: CVE-2017-17405: Command injection vulnerability in Net::FTP Hi, the following vulnerability was published for ruby. CVE-2017-17405[0]: Command injection vulnerability in Net::FTP If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17405 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405 [1] https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/ [2] https://github.com/ruby/ruby/commit/6d3f72e5be2312be312f2acbf3465b05293c1431 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby2.5 Source-Version: 2.5.0~rc1-1 We believe that the bug you reported is fixed in the latest version of ruby2.5, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 884...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro <terce...@debian.org> (supplier of updated ruby2.5 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 24 Dec 2017 12:29:25 -0200 Source: ruby2.5 Binary: ruby2.5 libruby2.5 ruby2.5-dev ruby2.5-doc Architecture: source Version: 2.5.0~rc1-1 Distribution: unstable Urgency: medium Maintainer: Antonio Terceiro <terce...@debian.org> Changed-By: Antonio Terceiro <terce...@debian.org> Description: libruby2.5 - Libraries necessary to run Ruby 2.5 ruby2.5 - Interpreter of object-oriented scripting language Ruby ruby2.5-dev - Header files for compiling extension modules for the Ruby 2.5 ruby2.5-doc - Documentation for Ruby 2.5 Closes: 832022 881772 884437 Changes: ruby2.5 (2.5.0~rc1-1) unstable; urgency=medium . * New upstream release candidate. Includes the following fixes: - Fix stack size on powerpc64 (Closes: #881772) - CVE-2017-17405: Command injection vulnerability in Net::FTP (Closes: #884437) * Refresh patches * debian/control: - Remove explicit Testsuite: header - ruby2.5-dev: Recommends: ruby2.5-doc - Declare compatibility with Debian Policy 4.1.2; no changes needed - Bump debhelper compatibility level to 10 - change debian/rules to call ./configure directly, to use upstream's built-in multiarch support as before debhelper compatibility level 9 * debian/watch: download release tarballs. Using release tarballs makes it possible to build ruby without having an existing ruby. This should help bootstrapping ruby on new architectures. (Closes: #832022) * debian/copyright: exclude embedded copies of bundled gems and libffi * debian/rules: - run tests in verbose mode during build - drop explicit usage of autotools-dev - drop usage of autoreconf debhelper sequence, it's not needed anymore since we are now using a complete upstream release tarball - drop passing --baseruby to configure, since do not require an existing ruby anymore - skip setting DEB_HOST_MULTIARCH if already set - replace manual call to dpkg-parsechangelog with including /usr/share/dpkg/pkg-info.mk and using variables from there. * autopkgtest: make use of the text exclusion rules under test/excludes/ * debian/libruby2.5.symbols: update with symbols added/removed since the preview1 release * debian/tests/bundled-gems: handle extra field in gems/bundled_gems * debian/libruby2.5.lintian-overrides: remove unused override (possible-gpl-code-linked-with-openssl) Checksums-Sha1: f2f26aae91e34f2c5ce13001b22d2cbb578ffe2e 2352 ruby2.5_2.5.0~rc1-1.dsc 1f739b1f01268ef139656e307f8163bd90c1606b 30925411 ruby2.5_2.5.0~rc1.orig.tar.gz ae7d013fed2114af7d096576ad0ad19eb2c515ba 99144 ruby2.5_2.5.0~rc1-1.debian.tar.xz 4ed51818c43411e93b31f4e03b2a0aa89e46ec99 6377 ruby2.5_2.5.0~rc1-1_source.buildinfo Checksums-Sha256: 245629eb09f3cc38c8ceca0b4ee29febd96a7097ea7f4ddfe9f83b243e5f2ff8 2352 ruby2.5_2.5.0~rc1-1.dsc 3eb57888cadb469a2faf0a8031ad2180ca981167d8a646aaebfbd6f786feecc8 30925411 ruby2.5_2.5.0~rc1.orig.tar.gz 0295b9da564c398f3efb4e963937ee298c224d2fbe7936eb48f33e129aa7f28e 99144 ruby2.5_2.5.0~rc1-1.debian.tar.xz 511ed1c027cff8c1b3fa9a8f9084a18c36873fde340204c78ccefa84519195a6 6377 ruby2.5_2.5.0~rc1-1_source.buildinfo Files: 174bdd4580ba9f91b7318fd9efc61394 2352 ruby optional ruby2.5_2.5.0~rc1-1.dsc 466cdb22f4ea5dbcf1bc4f6f77117ae8 30925411 ruby optional ruby2.5_2.5.0~rc1.orig.tar.gz 3e754662560017ca670ea903d9ff4eb4 99144 ruby optional ruby2.5_2.5.0~rc1-1.debian.tar.xz ac44fb0acf5ec3c33eb3e2c366825db8 6377 ruby optional ruby2.5_2.5.0~rc1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAlo/vsEACgkQ/A2xu81G C94PgQ/+IkXXtooLeVrligiKQk9/lnQUeMuuC/Y1UF5N+wYoiyVLmaR/Trvp9hpr H3fDcjEaXHfPKVdU/7JRM/LpcBpePuIQ6I2FM1D6aj/RZzks8Qugb8mlx273nwu3 Gm7VbppJePZajidE4raWL6j+v29E1Tki5THK7cL66SnAv3TSnOVlmoqS2/oeVL/M XMm1yI4EQd209ch/nKTw5jKON/h260lX6lSJibaHPRIX4wTsgz+Pl6xq7EjEtC/d ceBdJd5Ic7+yng+WYvEVc50HsgWXVCSS6wJwv84+9aU3r4XmJLV+CuKUbpP6HnxJ oQG78dTDDdZYicveNFD2SsDz5sJcIwKI3tWvx/jFa1/8P43pxcCFroFB8FLdoIEr 4ZZ/3FMdJTsx+ltEJL2XBEz+8xaGYzUsS0hDTcQCWPQcSsk00ymuEp3KW8oQ+PBg LtNfqeZMlRojkC2v/42JKyRoHDeLQrZNuKmJJrNDKQ8nErElzY4bG0DRm6PV7Z7q +2hEpHONC9HxgV9hQaU/Z3o7XbMG8QUePsNv2ALdAReW796UUUA5klywC9kNRyEQ gbAfwp2JlQ8ndXFInM8VEZdzffLwLkF4Qu+TI+BDDqgZxJOlOlIytdVrEDzMXkSL zHFHJCl4H62neh48qS8TjkbXT2vUE31Ad1ddYnxAqwiAH983f4E= =oLpz -----END PGP SIGNATURE-----
--- End Message ---
