Your message dated Sat, 02 Jan 2021 13:19:15 +0000 with message-id <e1kvgon-0007v5...@fasolo.debian.org> and subject line Bug#967063: fixed in ruby-faye 1.4.0-1 has caused the Debian Bug report #967063, regarding ruby-faye: CVE-2020-15134 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 967063: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967063 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-faye Version: 1.2.4-1 Severity: grave Tags: security upstream Forwarded: https://github.com/faye/faye/issues/524 X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for ruby-faye. CVE-2020-15134[0]: | Faye before version 1.4.0, there is a lack of certification validation | in TLS handshakes. Faye uses em-http-request and faye-websocket in the | Ruby version of its client. Those libraries both use the | `EM::Connection#start_tls` method in EventMachine to implement the TLS | handshake whenever a `wss:` URL is used for the connection. This | method does not implement certificate verification by default, meaning | that it does not check that the server presents a valid and trusted | TLS certificate for the expected hostname. That means that any | `https:` or `wss:` connection made using these libraries is vulnerable | to a man-in-the-middle attack, since it does not confirm the identity | of the server it is connected to. The first request a Faye client | makes is always sent via normal HTTP, but later messages may be sent | via WebSocket. Therefore it is vulnerable to the same problem that | these underlying libraries are, and we needed both libraries to | support TLS verification before Faye could claim to do the same. Your | client would still be insecure if its initial HTTPS request was | verified, but later WebSocket connections were not. This is fixed in | Faye v1.4.0, which enables verification by default. For further | background information on this issue, please see the referenced GitHub | Advisory. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15134 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15134 [1] https://github.com/faye/faye/security/advisories/GHSA-3q49-h8f9-9fr9 [2] https://github.com/faye/faye/issues/524 [3] https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-faye Source-Version: 1.4.0-1 Done: Utkarsh Gupta <utka...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-faye, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 967...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta <utka...@debian.org> (supplier of updated ruby-faye package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 02 Jan 2021 18:18:03 +0530 Source: ruby-faye Architecture: source Version: 1.4.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Utkarsh Gupta <utka...@debian.org> Closes: 959392 967063 Changes: ruby-faye (1.4.0-1) unstable; urgency=medium . [ Utkarsh Gupta ] * Add salsa-ci.yml . [ Debian Janitor ] * Bump debhelper from old 11 to 12. * Set debhelper-compat version in Build-Depends. * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse. * Update standards version to 4.4.1, no changes needed. * Update standards version to 4.5.0, no changes needed. . [ Utkarsh Gupta ] * New upstream version 1.4.0 - Address em-http-request warnings about `verify_peer`. (Fixes: CVE-2020-15134) (Closes: #967063) - Strict meta channel recognition in server. (Fixes: CVE-2020-11020) (Closes: #959392) * Tighten dependency on ruby-{faye-websocket, em-http-request} * Add patch to relax em-http-request dependency * Fix package wrt cme * Use @d.o address * Drop unnecessary dependency on ruby interpreter Checksums-Sha1: 9d6f0f43b9a37ecd540d9dbd423c5b306283a7bf 2152 ruby-faye_1.4.0-1.dsc 87080a8eb6e4a1c1616246689e5b19d231cc9989 336457 ruby-faye_1.4.0.orig.tar.gz bbd55a8dc3067b00dc4b4725404f99be03ba01c6 2624 ruby-faye_1.4.0-1.debian.tar.xz bc07d32fa0a8b81c578791f44da56e26093a43b5 9488 ruby-faye_1.4.0-1_amd64.buildinfo Checksums-Sha256: 1eb63ab6b206fe3c8c35c6a0320640c6b0402fdd1103cc29e50cd339c6679898 2152 ruby-faye_1.4.0-1.dsc 89abad0f6499c615bdde6e7f8bfa57fc16803b722d736ce72f851fac83ff84b2 336457 ruby-faye_1.4.0.orig.tar.gz 1afced9a683889c7f25041e79b8a9ad245cc2509a0d0f662588217310fc991bf 2624 ruby-faye_1.4.0-1.debian.tar.xz 41a38e7cf436caf8cc27bcff2d308c39b47dc6ce247c636a967c02775488275c 9488 ruby-faye_1.4.0-1_amd64.buildinfo Files: 02d040e9e5fe8c5a2ef3900effe31ae1 2152 ruby optional ruby-faye_1.4.0-1.dsc 619dd7c6df49b207b874798cdca2f9df 336457 ruby optional ruby-faye_1.4.0.orig.tar.gz cb8e1236a4b2f369f66f7383b33475a6 2624 ruby optional ruby-faye_1.4.0-1.debian.tar.xz deac3a94493e151f18bc9fc857a15af8 9488 ruby optional ruby-faye_1.4.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl/wb4cTHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlsTfD/0WnX8IraqGyGGiPFaLhhao+PhFDjZa R+9Zze0Mi1r3aA9mQru7nrJML1lXjLaiE8IFqDcH05RVW1wq8MnKGxamhI0cAucc T9e1melkr96qlLPB0ynOuHmigGlDvdhiYGeGP+OdagYga50pvYsw75C8mbud23+g fz3ixae+zJgVg+VyGivCtr0dpo//jwY9dkq8iDhqco6novsmd+rkymv/x3lLZlYD 1BwuUA7g4YPq1NCKj+1j/ZRREKAKPbMzqYO9QvPbLqYx4RDdc0Cqi9CIztVDlqdW 8m1M7acpeDQYOiolypNC0mRK0JAKn2fsXxF3BCA3wX08XjteYYzVqXiKwrBasVFY fSM5axjJr16GKh4VT8T2Omkbx9uiFzzuaZZiKxG66q8spXPiCnlXvpp7+simUAsy 4+h+liPFO2qI9cOyPmR6G454qEeOicMV3GL130MbUBz1xslBZwJDz4iRh528qOdF 8e7Ihl+EnJY0d7yL0YwOEL6IQm3BS+PGSDZkU3CtKU+eBNbizFTTsOaB6sc2QmrJ 9I5WCJ1qAPTdsiQRZmqcBABWIgvt0jzM4lRho5phM+NunTNVrrIADdnWk7ir3ZQU Ab0z72ArH+uT8bO5kyQPxA5Ps6HMQJ39ezT254cVwTrapmVA2M5lyDrvugbhDaQ9 hRkQH8B7aXntdg== =oyoS -----END PGP SIGNATURE-----
--- End Message ---
