Your message dated Wed, 19 May 2021 15:32:11 +0000 with message-id <e1ljob9-0006mv...@fasolo.debian.org> and subject line Bug#944849: fixed in ruby-rack-cors 1.0.2-1+deb10u1 has caused the Debian Bug report #944849, regarding ruby-rack-cors: CVE-2019-18978 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 944849: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944849 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-rack-cors Version: 1.0.2-1 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for ruby-rack-cors. CVE-2019-18978[0]: | An issue was discovered in the rack-cors (aka Rack CORS Middleware) | gem before 1.0.4 for Ruby. It allows ../ directory traversal to access | private resources because resource matching does not ensure that | pathnames are in a canonical format. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-18978 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18978 [1] https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-rack-cors Source-Version: 1.0.2-1+deb10u1 Done: Utkarsh Gupta <utka...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-rack-cors, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 944...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta <utka...@debian.org> (supplier of updated ruby-rack-cors package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 13 May 2021 15:24:15 +0530 Source: ruby-rack-cors Binary: ruby-rack-cors Architecture: source all Version: 1.0.2-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Utkarsh Gupta <utka...@debian.org> Description: ruby-rack-cors - enable Cross-Origin Resource Sharing in Rack apps Closes: 944849 Changes: ruby-rack-cors (1.0.2-1+deb10u1) buster-security; urgency=high . * Unescape and resolve paths before resource checks. (Fixes: CVE-2019-18978) (Closes: #944849) Checksums-Sha1: bb7aec89d0af8cdb687767dba955808bdbe5f4e0 2144 ruby-rack-cors_1.0.2-1+deb10u1.dsc f525680c94392d5f223e2b0ca2f971b4cffa2ced 49170 ruby-rack-cors_1.0.2.orig.tar.gz 0604aa1ea8f6a224fdc36ce3aaf8349ad708ec80 4192 ruby-rack-cors_1.0.2-1+deb10u1.debian.tar.xz 214a5eedb52d34d5292499c4cf3e42e1a4ff5aeb 11036 ruby-rack-cors_1.0.2-1+deb10u1_all.deb c8d8046bb6ce33e282e67051c00ff5a153b8f299 9494 ruby-rack-cors_1.0.2-1+deb10u1_amd64.buildinfo Checksums-Sha256: 0d79bce9231a1decb488e4c2ad08cabbd5e5b60cfbd1e0fa5d4b211a70c14869 2144 ruby-rack-cors_1.0.2-1+deb10u1.dsc d035fe0d41f28f8955c826b20fc25b967688681ac0a6820030626dc55198cd8a 49170 ruby-rack-cors_1.0.2.orig.tar.gz 4f95b6d6a2e31708aadf33dea212ec16b69d570b6f951754c8c2207eaee566a6 4192 ruby-rack-cors_1.0.2-1+deb10u1.debian.tar.xz cfa785adde4250649ad298c899cfd69ca88e926118acf843c14e111055ca206b 11036 ruby-rack-cors_1.0.2-1+deb10u1_all.deb 28e27c4ad38a15d2292f1af53117e0835c098c2682d8d10e8faa4d320ff17168 9494 ruby-rack-cors_1.0.2-1+deb10u1_amd64.buildinfo Files: 07837358966a7dc2078153a75ce9db10 2144 ruby optional ruby-rack-cors_1.0.2-1+deb10u1.dsc 20cb389d338c21e44e886b29e600ff40 49170 ruby optional ruby-rack-cors_1.0.2.orig.tar.gz 6257663b225918c91990bffba3d522a8 4192 ruby optional ruby-rack-cors_1.0.2-1+deb10u1.debian.tar.xz bef2ba6bdb33efb79ecb16f8e9875447 11036 ruby optional ruby-rack-cors_1.0.2-1+deb10u1_all.deb 6ba8182ddbc7e9b8800077581a6894bc 9494 ruby optional ruby-rack-cors_1.0.2-1+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmCc+RkTHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlmG7EADBK2rw9No3UyFaFu8XPjO9riYvBujr CxPbnF5K5lL9AtgFNLB0d/qiXdkxrCCpTA+Dyk0nQXTL9uOwdq08f5SErmJz9kot vxECP8TlSCNMvlAwqQzYdRnsz7R8ejGjs+JkIN3HlP+ZowNqtRCN+uaVLh3Bff07 xoeoVZ4AdKcPUpjmeGzLJhuvniknZxPKfX0DfwZUJAvAxI1VTZ0neSiFwc7Sc3QI BTuj+cTNebZR1i6qh3tJO5RtupXN4HLwl4TJ/LLl2jRvxqitDVAu2oNd0/O9axtB PvzFJE1GnEIFfN1Owu2cFs9jQ/nKrOS40I0X71thZWLQdwsozSqdLMzLZNKLtgl0 Uu5TZxvFqheiup6Kw5axGri/czM5o/IgjrMwaOP3/QQqnw710skCa3Je8ttO7vC3 tAvxPqxW6AfDfq4AA9YD1cTXlvRcytF2k78Qy5W62SDDh89IxOlmX1KWB+UtcD6X Qeh9TZ5K/uwebPzhQVe1FHGbZR7A3U4hu/D6FlrAfRUGpO1HuPX15z0B+otx4e2M /zBDJNALnNlVEzBu8jTSHpIJfcq9INGQstcZcaTpkx4GZ7yedxF4Gah5GYhABcct MKi0JnjVtw20+EY+bN3xf1WdmvD1rELpTpORueJk1sT7fti2D/z1aU44GV8oSWz2 t0WLBu6bg/eMBA== =k1hT -----END PGP SIGNATURE-----
--- End Message ---
