Your message dated Sun, 13 Jun 2021 07:33:51 +0000
with message-id <e1lskcx-000hng...@fasolo.debian.org>
and subject line Bug#982552: fixed in ruby-carrierwave 1.3.2-1
has caused the Debian Bug report #982552,
regarding ruby-carrierwave: CVE-2021-21288
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
982552: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982552
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-carrierwave
Version: 1.3.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for ruby-carrierwave.
CVE-2021-21288[0]:
| CarrierWave is an open-source RubyGem which provides a simple and
| flexible way to upload files from Ruby applications. In CarrierWave
| before versions 1.3.2 and 2.1.1 the download feature has an SSRF
| vulnerability, allowing attacks to provide DNS entries or IP addresses
| that are intended for internal use and gather information about the
| Intranet infrastructure of the platform. This is fixed in versions
| 1.3.2 and 2.1.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21288
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21288
[1]
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-carrierwave
Source-Version: 1.3.2-1
Done: Pirate Praveen <prav...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-carrierwave, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 982...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <prav...@debian.org> (supplier of updated ruby-carrierwave
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 28 Apr 2021 18:11:56 +0530
Source: ruby-carrierwave
Architecture: source
Version: 1.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Pirate Praveen <prav...@debian.org>
Closes: 982552
Changes:
ruby-carrierwave (1.3.2-1) unstable; urgency=medium
.
* New upstream version 1.3.2 (Closes: #982552) (Fixes: CVE-2021-21288)
* Bump Standards-Version to 4.5.1 (no changes needed)
* Drop compat file, rely on debhelper-compat and bump compat level to 13
* Add ruby-ssrf-filter as build dependency
Checksums-Sha1:
62112de59c66bebae58af1ac93ccd6ad84c280ce 2469 ruby-carrierwave_1.3.2-1.dsc
f4d57fc9865fb86a53d0d2ff5b3f5cf55f92a140 762776
ruby-carrierwave_1.3.2.orig.tar.gz
392340bd46acb71b0eaad652e3db29bc59814e7a 4824
ruby-carrierwave_1.3.2-1.debian.tar.xz
f386f9e9c46d85e6af6af17818d5b5ee075e26f6 22816
ruby-carrierwave_1.3.2-1_amd64.buildinfo
Checksums-Sha256:
b141506e1d48faef13582dae19fa4b39dedcb27749b1b3e0aa7699460ea05716 2469
ruby-carrierwave_1.3.2-1.dsc
90934365ae9f2b6822c55fe4b57cd33aa3791a34205e8c3e5cbaf56dbec50f66 762776
ruby-carrierwave_1.3.2.orig.tar.gz
13a4ec25d7643f242db5ed54ce90fa27f30d9f4ce4fa3a94c336960934e0e940 4824
ruby-carrierwave_1.3.2-1.debian.tar.xz
3867d04abea2fd3339c4db68b661dca885cf9f473bd2f0f8adee286fe2ec3eec 22816
ruby-carrierwave_1.3.2-1_amd64.buildinfo
Files:
266b69f968a70ee4a40b14d619fd104e 2469 ruby optional
ruby-carrierwave_1.3.2-1.dsc
61b9d2db7c788f4bab5f0ca7d321230e 762776 ruby optional
ruby-carrierwave_1.3.2.orig.tar.gz
c7e4ad6c5dcb219d9a7f1543e5b289e2 4824 ruby optional
ruby-carrierwave_1.3.2-1.debian.tar.xz
b9ac2aff39973427228abd4be912bda0 22816 ruby optional
ruby-carrierwave_1.3.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAmDFshsACgkQj1PgGTsp
S3XsXg/+NEmr9ijHnWUQZam+qErjW7PJ3pQb9eZ9VwLhW+Wraw2aLXRtiNhVpeWY
Vb/QksVSEmWkqYTTE003EG5GHrnWnyuvAqpquN8SvFwM3RdT1z4IRNl2eAJzVVgt
gIeL/ycmh+Jb8+r/nqG+U3FMdYRu/nVlrj5Jtj8XpJnMGTRb98clK6tJSddRUEHf
eZHXV3pSHbngAprIPkUbsQ7Vm9IvJispnxy4qHGBRCIbyoosf5g7VYlrfYmFxeGT
ZP/Fk8oLzwvOfbbjsAPe4pNaMcnrdOMpOwVimI+otjHI6whCfd2Cc5Sgz/+ZqYWZ
t64eympEPgZDXidKvuJcTHrHMi3CdKcFL90oJTy+7/zCBstl/2cQnN9PGubrZCCv
R2eqssFiU0iB2GJip0CPB9eGf+kEpWMIHi4eqgV6XDLDagSqA/8f51lOe/kBMiB+
2JuiJbICKFBmBAD9Dk7GD98tWnMAx1nhWBN6cNVHewcf2F4rjKMFfQ9U2x4gdijE
gtUpGaEq97WNzZqvscP238EpVb6Xbsy9AZ9wcv5o6ZfX5h61N3y+zEsWuLcBIlFT
JJMmajnkXsrVI9Nf6826m36013IF/pUyKj/VJztK7Pn59QEr8IIKiAtNzj0tnHut
UdHzC2dll0MgwE6mjaJvBwiIuTC9BHayG7saY9zzuW0p2bFObz8=
=GZLd
-----END PGP SIGNATURE-----
--- End Message ---
