Your message dated Sat, 24 Nov 2018 15:19:30 +0000 with message-id <e1gqziu-000guv...@fasolo.debian.org> and subject line Bug#911920: fixed in ruby2.5 2.5.3-1 has caused the Debian Bug report #911920, regarding ruby2.5: CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 911920: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911920 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby2.5 Version: 2.5.1-6 Severity: grave Tags: patch security upstream Justification: user security hole Hi, The following vulnerability was published for ruby2.5. CVE-2018-16396[0]: Tainted flags are not propagated in Array#pack and String#unpack with some directives If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16396 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396 [1] https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby2.5 Source-Version: 2.5.3-1 We believe that the bug you reported is fixed in the latest version of ruby2.5, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 911...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonio Terceiro <terce...@debian.org> (supplier of updated ruby2.5 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 24 Nov 2018 12:38:59 -0200 Source: ruby2.5 Binary: ruby2.5 libruby2.5 ruby2.5-dev ruby2.5-doc Architecture: source Version: 2.5.3-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Antonio Terceiro <terce...@debian.org> Description: libruby2.5 - Libraries necessary to run Ruby 2.5 ruby2.5 - Interpreter of object-oriented scripting language Ruby ruby2.5-dev - Header files for compiling extension modules for the Ruby 2.5 ruby2.5-doc - Documentation for Ruby 2.5 Closes: 898051 911717 911920 913181 Changes: ruby2.5 (2.5.3-1) unstable; urgency=medium . * New upstream version 2.5.3 - Includes fix for CVE-2018-16396, "Tainted flags are not propagated in Array#pack and String#unpack with some directives" (Closes: #911920) * Refresh patches: - Dropped 0009-merge-changes-in-ruby-openssl-v2.1.1.patch, already applied upstream. * Add tzdata to Build-Depends (Closes: #911717) * Cherry-pick upstream commmit with update to tests due to changes in tzdata 2018f (Closes: #913181) * Update gemspec reproducibility patch to also make new default gems fiddle and ipaddr reproducible. (Closes: #898051) * debian/rules: don't install created.rid file produced by rdoc to make build reproducible. This file is used by rdoc to decide when to update documentation when in use in interactive settings, and containing a timestamp is one of its functions. Is is not necessary for a binary package, though, because the included documentation will never need to be updated in-place. Checksums-Sha1: 91c316a3fd26f55cbfbb07ca6983f04f9b60a877 2421 ruby2.5_2.5.3-1.dsc acfe8bd7820ca0a0ebee4d08a6200ce90b47ba95 10184868 ruby2.5_2.5.3.orig.tar.xz 23321f29233feb0b1dd5885be29a024412933612 116476 ruby2.5_2.5.3-1.debian.tar.xz 1bab5f8ed23d8d49bab97f502a8591372c0225f2 7014 ruby2.5_2.5.3-1_source.buildinfo Checksums-Sha256: 8c6635f4cfc0a3173c2ae0dd000aae4dac41b84946b8c1f98512784e1c25f257 2421 ruby2.5_2.5.3-1.dsc 4953ab3299b6feaec99f4fa1507f3b276951f4c1c99aa435b8e0b1b4afe38302 10184868 ruby2.5_2.5.3.orig.tar.xz 964f7c083c484e8a73a16e9be1caa7a6e0403e05abb77f91ea1ab8aca983e9e6 116476 ruby2.5_2.5.3-1.debian.tar.xz 2bf8cf72f5ccb85bd9475f9098fa248e750c63f76c87e241f2708a5f53bfea1f 7014 ruby2.5_2.5.3-1_source.buildinfo Files: 891297786d509cecce3f3e7078472584 2421 ruby optional ruby2.5_2.5.3-1.dsc dc21f9f1a5c327e0bb3520770b72d3f6 10184868 ruby optional ruby2.5_2.5.3.orig.tar.xz 84653f68ab37e468612218f51b7b5829 116476 ruby optional ruby2.5_2.5.3-1.debian.tar.xz 1139383347d2cb885278be4eeca4c5e6 7014 ruby optional ruby2.5_2.5.3-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAlv5aSoACgkQ/A2xu81G C95fURAAvYioYRVGjCOvoTZM6eZnpGtj5mDaEUgZ14+IAW6LeDLksOiadjPZNpAa sVmf6yEhWUfBwpWwTH/lzeQihXUCdjq0P3yn/24cEOn7og/qHHoWXl8H77/hUApg VPHs6MRXAeZ8OM78gPSQKF3GPbnrHHFvKv32/8jDgfWto+UnMWvLOvw5bFcnZdr0 cBNVMWsSsP+AzEppVElRxUmX6//nKjgDV10lspAWqabIG6+Vb6/ibSyKEnAjsa8+ AwEtt+ACtvnfSLt38aPkL0hpygd8q/s84qZT3+o6hFE6p+Sj22QOeCTlRWb6jjlb 3tKoi3keJVy0ooW1Hi3CQ7Ftbr6j9syVjDwTSgEs7ipm8PH/7k1+HYHAtlj520Ez yYGkyxjEyUP8FLJfo47ow0vTNR3S7BcacJ2RQjAsxAaVScSPr1QaVmVoZwgYXxNz +iZGqAJCLHlKVuzYB/JT5Uqr+qKItPLNPe/UgtdYtw03ukd6Jp2j2BPcLhZQrcrO l/ZzkOs5mpKCAzj6gyYcd/nqF8LwcPcwYfbM8YAbL8YePzQhiT23Hb8P6RZzZpDR HAancOvMITiwwCkUsQ5wngiWAzgRoPZgwInC8BUq5oYyzENCz69jlXcfZY/Co2/v 4iEsPYiabE3ua8jzTcmg6zXDNVZfdD1QcDVVgW2p1uUYCxzYj0g= =yI7J -----END PGP SIGNATURE-----
--- End Message ---
