Your message dated Fri, 21 May 2021 14:47:09 +0000 with message-id <e1lk6qf-000ikv...@fasolo.debian.org> and subject line Bug#964274: fixed in ruby-websocket-extensions 0.1.2-1+deb10u1 has caused the Debian Bug report #964274, regarding ruby-websocket-extensions: CVE-2020-7663 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 964274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964274 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-websocket-extensions Version: 0.1.2-1 Severity: grave Tags: security upstream Hi, The following vulnerability was published for ruby-websocket-extensions. CVE-2020-7663[0]: | websocket-extensions ruby module prior to 0.1.5 allows Denial of | Service (DoS) via Regex Backtracking. The extension parser may take | quadratic time when parsing a header containing an unclosed string | parameter value whose content is a repeating two-byte sequence of a | backslash and some other character. This could be abused by an | attacker to conduct Regex Denial Of Service (ReDoS) on a single- | threaded server by providing a malicious payload with the Sec- | WebSocket-Extensions header. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7663 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7663 [1] https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2 [2] https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-websocket-extensions Source-Version: 0.1.2-1+deb10u1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-websocket-extensions, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 964...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated ruby-websocket-extensions package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 13 May 2021 11:23:30 +0100 Source: ruby-websocket-extensions Binary: ruby-websocket-extensions Architecture: source all Version: 0.1.2-1+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: ruby-websocket-extensions - Generic extension manager for WebSocket connections Closes: 964274 Changes: ruby-websocket-extensions (0.1.2-1+deb10u1) buster; urgency=medium . * CVE-2020-7663: Prevent a denial of service attack that is exploitable by an exponential-time regular expression backtracking vulnerability. (Closes: #964274) Checksums-Sha1: b89b8d5d73c5aa6ebab19c4d6a2e4afe8d13d78d 2232 ruby-websocket-extensions_0.1.2-1+deb10u1.dsc 930a2f8c4a192142f8d18343f24201c6e0558498 2672 ruby-websocket-extensions_0.1.2-1+deb10u1.debian.tar.xz b184c7f60a46a1c483c36586c8a1ae6ffaead4b7 9868 ruby-websocket-extensions_0.1.2-1+deb10u1_all.deb e3ce51b2abe810a68445a9a745446ee502667c05 9060 ruby-websocket-extensions_0.1.2-1+deb10u1_amd64.buildinfo Checksums-Sha256: 4bd2e3f3fd198a249ff54a0ef897cc9f86a94186c36d024ae471ce7df5d99145 2232 ruby-websocket-extensions_0.1.2-1+deb10u1.dsc 17cff3ce972cac784285efe3b4461267b85cb7bec9e16f7e1646a4a078184646 2672 ruby-websocket-extensions_0.1.2-1+deb10u1.debian.tar.xz fcaa1b942765aa1eb6897b327ce910a1e304d60fee83fedad47c7bf9a3791ea7 9868 ruby-websocket-extensions_0.1.2-1+deb10u1_all.deb 5faf8f4f8b7691fd0979fa5e14def2d202a306fc936348bf55af6ddbebcbdb07 9060 ruby-websocket-extensions_0.1.2-1+deb10u1_amd64.buildinfo Files: 912a3f68cb0efb1a103792cedcefc30c 2232 ruby optional ruby-websocket-extensions_0.1.2-1+deb10u1.dsc 604995a868d6184d4451d47e433c2333 2672 ruby optional ruby-websocket-extensions_0.1.2-1+deb10u1.debian.tar.xz c1f0cda0da75c5dd277f35c16f786496 9868 ruby optional ruby-websocket-extensions_0.1.2-1+deb10u1_all.deb 74e82bb802bebfa4ab0c443a78c0b9fb 9060 ruby optional ruby-websocket-extensions_0.1.2-1+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCg8hQACgkQHpU+J9Qx Hlh38Q/+P4InbFkCSHcNbKS7/fUUc82KXOKmTmLBxbShWJtQHIyF6pIfPtPHhYe9 3hpgv7911eKBrX+oBQRsEbzXXKhyQTFL0MvCwa+aD0SgmgfL3wM7iUSLJ+wF7diQ rTeRq4FcnONdK9cQLXVun2PkFvnQEyfW3yvpixPi2N95L/GLgTJAkVlZaWVnGQ5D M+35qJ6TPcCKAKQ9gOHAEp4ksHt4WpuD21DuoND+hugfbnLTUshTVZRn+JC9LyVQ f4mcOs2c2aCovbPGxdPHuo6eJeZYGs3sKKLUNdyN7bMtYQiOhI4xbfAGJH1uiSNZ MzNVWaAy3g5182QnN/C4XHTeJZeJ+eDVTOAYoUtPqR/rBLQlHHG6r7s7eLsIiS/J nXxm5JfHh6yI5GKmQW0W/+655zGabBD41wRFlUj+T3TTb5+xqdDPfWmC8JkEgVPJ A2eTTNWCle2iK5B/UgCxhLx/brO8JZs0WrwfH4Qd0HNFMspoB+Wq47E7WFRVYbfa Syk+HwIWt04zabch62BneIMJ6OHaJCVpDK3n9WhuUi+cSPWIjKyMLKfr3NWn6m+5 Bb6oLPAy/AXbqJ7A2Zv4rHUuMIvnrjN6l+Ydu1tyl43lb6g5RbYzPhQ62/cj9Yrq /OuHF5w0clbK4mKT7LD1t0wjh41aZWV7TiQXl6uvvM3TAl1Uet0= =jCJF -----END PGP SIGNATURE-----
--- End Message ---
