Your message dated Sat, 02 Jan 2021 13:04:43 +0000 with message-id <e1kvgaj-0005wu...@fasolo.debian.org> and subject line Bug#967061: fixed in ruby-faye-websocket 0.11.0-1 has caused the Debian Bug report #967061, regarding ruby-faye-websocket: CVE-2020-15133 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 967061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967061 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-faye-websocket Version: 0.10.7-1 Severity: grave Tags: security upstream X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for ruby-faye-websocket. CVE-2020-15133[0]: | In faye-websocket before version 0.11.0, there is a lack of | certification validation in TLS handshakes. The | `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` | method in EventMachine to implement the TLS handshake whenever a | `wss:` URL is used for the connection. This method does not implement | certificate verification by default, meaning that it does not check | that the server presents a valid and trusted TLS certificate for the | expected hostname. That means that any `wss:` connection made using | this library is vulnerable to a man-in-the-middle attack, since it | does not confirm the identity of the server it is connected to. For | further background information on this issue, please see the | referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is | recommended. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15133 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15133 [1] https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv [2] https://github.com/faye/faye-websocket-ruby/pull/129 [3] https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-faye-websocket Source-Version: 0.11.0-1 Done: Utkarsh Gupta <utka...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-faye-websocket, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 967...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta <utka...@debian.org> (supplier of updated ruby-faye-websocket package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 02 Jan 2021 18:05:54 +0530 Source: ruby-faye-websocket Architecture: source Version: 0.11.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Utkarsh Gupta <utka...@debian.org> Closes: 967061 Changes: ruby-faye-websocket (0.11.0-1) unstable; urgency=medium . [ Utkarsh Gupta ] * Add salsa-ci.yml . [ Debian Janitor ] * Bump debhelper from old 11 to 12. * Set debhelper-compat version in Build-Depends. * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse. * Update standards version to 4.4.1, no changes needed. . [ Cédric Boutillier ] * [ci skip] Update team name * [ci skip] Add .gitattributes to keep unwanted files out of the source package . [ Utkarsh Gupta ] * New upstream version 0.11.0 - Implement SSL certificate verification. (Fixes: CVE-2020-15133) (Closes: #967061) * Fix package wrt cme * Drop unnecessary dependency on ruby interpreter * Use @d.o address Checksums-Sha1: 3c863927c4266537b8377f29ff8a55786521f892 2175 ruby-faye-websocket_0.11.0-1.dsc 4328ab23e107b9b6deed5ee99363aba10f511575 22409 ruby-faye-websocket_0.11.0.orig.tar.gz 8c8087b6b696e14fffe021234310fac4fd26e341 2616 ruby-faye-websocket_0.11.0-1.debian.tar.xz bfe32de28e99436ce38f35ffeef0d0c0c70a50ae 9206 ruby-faye-websocket_0.11.0-1_amd64.buildinfo Checksums-Sha256: cb528412f7fdca70b6d438920fbe32070d200a1fe96a13158fc19feac3ab557c 2175 ruby-faye-websocket_0.11.0-1.dsc eb1bddb8eea6ecaeeb7ace2431a5a1cf69423948322e7da1cb1e784bc3902e0e 22409 ruby-faye-websocket_0.11.0.orig.tar.gz 138ecd6bf219acef22c48e83c5b178568e1408647e021475c9969a12c17c5f21 2616 ruby-faye-websocket_0.11.0-1.debian.tar.xz f569bbbef610e12bd3ffb9c21219cd951b6ce4d75645fdf7bf93a3b8b37ae869 9206 ruby-faye-websocket_0.11.0-1_amd64.buildinfo Files: ab91de2dbe5d40039ba6bd2652cd3468 2175 ruby optional ruby-faye-websocket_0.11.0-1.dsc 0e87c10b92e77de08d0c8a1e81ab0164 22409 ruby optional ruby-faye-websocket_0.11.0.orig.tar.gz b25c9c3e6ae6114847a06f4558950713 2616 ruby optional ruby-faye-websocket_0.11.0-1.debian.tar.xz 8d15a11cc28b83da7b9b878ada0ed9aa 9206 ruby optional ruby-faye-websocket_0.11.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl/wavITHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlvd+D/0R+dsbBQPreMMkM+0p5i4OcnuE8Ive WZNVEDpsJDmq882Rm7rY6tnPrfyHzQRiNiEoCJNN6dFHMTeFFdKYzxMLrOUdeeGo PJhB8Sb/9NO/LlNgoBgp2ekTjS0BkQAd0a3Tz8bZkBCcvT6vQOC3MHjhb1YrpNvj mLqjvQ8LclJd0miZo/r1jBzdUClBAxP33UnmsRz1kPvTMKRRA90QR3mOfs+xGyxb 6RzfvevXdFnT7JqLZhVw5Ko1zOTFd8dGO1sxonGYZQ5kqbnmeHKRhDOMC6VXBhi2 rvWNwfC9IBN+/SRaRQ95+reFqnl3YiSWS6Fz1Ah7xsP5qYF0VnMejlmet1jqiArR 294++svHo8SHb5IEDNOh6GYRYIiANuZrk8gEkT+iGpU3421SjqzH8QhuUHQWs1js LWr6zts7JbZbDrSn+d/UgiFdkzsPiC37LKzCPai+JhuhEkGg149xQB3K7bovL8rk SnO8eSyMepesn9OT0CcXlRQvP8JZqiUhEtL4mn8oGLbLM1fCs8CkNuNrDSrYjKFJ q+RQkwRXkjsb2B6WuCJougWVx0w+VDm4/ra8xnirOziw6ku5bi/uH0ipE0qosPuY cAQXXLGKR6S6fAzpk4cg5ESMZw5R9r9HnILT11fZmoywxW5Vegs6B1pTKaBod5iv u2nH4k1GVKUePQ== =u1aJ -----END PGP SIGNATURE-----
--- End Message ---
