Bug#892250: marked as done (ruby-rack-protection: CVE-2018-1000119: Timing attack in authenticity_token.rb)

Thu, 19 Jul 2018 12:21:43 -0700 

Your message dated Thu, 19 Jul 2018 19:17:39 +0000
with message-id <e1fgeql-000b7x...@fasolo.debian.org>
and subject line Bug#892250: fixed in ruby-rack-protection 1.5.3-2+deb9u1
has caused the Debian Bug report #892250,
regarding ruby-rack-protection: CVE-2018-1000119: Timing attack in 
authenticity_token.rb
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
892250: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892250
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: ruby-rack-protection
Version: 1.5.2-1
Severity: grave
Tags: patch security upstream

Hi,

the following vulnerability was published for ruby-rack-protection.

CVE-2018-1000119[0]:
Timing attack in authenticity_token.rb

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000119
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000119
[1] 
https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1534027

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: ruby-rack-protection
Source-Version: 1.5.3-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
ruby-rack-protection, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 892...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <j...@debian.org> (supplier of updated ruby-rack-protection 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 15 Jul 2018 20:46:41 +0200
Source: ruby-rack-protection
Binary: ruby-rack-protection
Architecture: source all
Version: 1.5.3-2+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Description:
 ruby-rack-protection - Protects against typical web attacks for Rack apps
Closes: 892250
Changes:
 ruby-rack-protection (1.5.3-2+deb9u1) stretch-security; urgency=medium
 .
   * CVE-2018-1000119 (Closes: #892250)
Checksums-Sha1:
 0d3968335d04fcd40dea2b8295bee0bff8483bb6 2189 
ruby-rack-protection_1.5.3-2+deb9u1.dsc
 d1e9cadc6d44c29635c1d4817a3f2f029b3e1b65 15673 
ruby-rack-protection_1.5.3.orig.tar.gz
 c95541b16a09856f954b3c22d9db690f3b0b2e94 7400 
ruby-rack-protection_1.5.3-2+deb9u1.debian.tar.xz
 68b93a7603feefdcc571c39858ec8177e04b001a 10198 
ruby-rack-protection_1.5.3-2+deb9u1_all.deb
 3fd96af4055fdd6a33674a1f890227200b96cc0a 7244 
ruby-rack-protection_1.5.3-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
 acdc23c57c093c2c2c2a1e54e16d1ffbea417b44d63df7009120310bd0aebca7 2189 
ruby-rack-protection_1.5.3-2+deb9u1.dsc
 c5217f34cb6559ccadd6540827ec6ca4d05211afc3271efdcb5ebef3bb90d0df 15673 
ruby-rack-protection_1.5.3.orig.tar.gz
 0148b12a6066f908508adbdc1d014ac47c5b6327978e24cb801fcef7d3896af1 7400 
ruby-rack-protection_1.5.3-2+deb9u1.debian.tar.xz
 e1d010d8c2fc36c7fd88eaa0e6d6f4408d72b35f0ff974e0c5b1a28ac7b548ef 10198 
ruby-rack-protection_1.5.3-2+deb9u1_all.deb
 983ab4f43d1dd85a50faec5bdba1b7c640a619f70cac8c2dd87f4e110dbd6cca 7244 
ruby-rack-protection_1.5.3-2+deb9u1_amd64.buildinfo
Files:
 ffc126e2a4376fc7f910d47d7a12c8c4 2189 ruby optional 
ruby-rack-protection_1.5.3-2+deb9u1.dsc
 9725f120b6b2dcada7711d9af6e3c8a5 15673 ruby optional 
ruby-rack-protection_1.5.3.orig.tar.gz
 4af1aa3be34844b02133cef904670058 7400 ruby optional 
ruby-rack-protection_1.5.3-2+deb9u1.debian.tar.xz
 aed6fec3026697758aef06ec10c07ee3 10198 ruby optional 
ruby-rack-protection_1.5.3-2+deb9u1_all.deb
 6728d8cc86e4b30d96271c3c302458fd 7244 ruby optional 
ruby-rack-protection_1.5.3-2+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAltLs/QACgkQEMKTtsN8
Tja7XA//XQYD9hiepftPfnZh3ol7wLL93Qg7KVQ1QzofzyXUEv1Pl0Ecjo+mIXK9
gwiDyxomOSEMD4BHTvlKQRty+ckHv8hwdEUQXDZIxrHGokLmtBl4f8fV8bM/eC2A
mMK7vrKsaafLkMWI/dqutFoWBNuCWnUnv9G3RhMQ4nnQ58hrTkc09zHB3eHCB/+x
fQHfNg1tveRrfC/5UlYRsCVWzqN53wA9c7jVVUYtzHguZAp5s2+Z1yfHgdALRNMI
QEEGu2o/LU5wvWXFthvajYLMyqe7sIzp8+GARVMySvtkwbvBHNsAPu7ijCSkpkKc
AjanJ/Vc77VdzCh2Kd8gjAuFjlPNleZEJpiyZsIQNmw1jYqSTJ25g9KwdmrPRn7s
ew2B+R39AzL9lSAhpBlp6KGF2fcYPz52Y3ot2pDWICxYZ6Oj2OGepIsHAWxwOvxm
NT3+OGsuMC8Pl0VEPSKXIxlo4pz+GL+c5ub2LvOdprytJg0zvYeXc5rQgveSGhCZ
uQS7OS9ae6ZGuIsgJ8wL0GXghmlVnxlNYjxcJAcnN8hf0BFs7mfoiC73KxewRYWI
iCt5WS4Gnc6iBfq4ymn7L4J8njqhANieox01PlNUpRuvR6n8J4Q4MjOEB6Kj0kaE
gAOxskA94xi9+eP51K2FZUpqjsFLpRS+tNYNzY20nL80ILOWiWU=
=GSFd
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to