Your message dated Wed, 14 Dec 2022 20:55:03 +0000 with message-id <e1p5ymn-00apqx...@fasolo.debian.org> and subject line Bug#1014968: fixed in mruby 3.1.0-1 has caused the Debian Bug report #1014968, regarding mruby: CVE-2021-46020 CVE-2022-0240 CVE-2022-0481 CVE-2022-0890 CVE-2022-1071 CVE-2022-1427 CVE-2022-1201 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1014968: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014968 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mruby X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mruby. CVE-2021-46020[0]: | An untrusted pointer dereference in mrb_vm_exec() of mruby v3.0.0 can | lead to a segmentation fault or application crash. https://github.com/mruby/mruby/issues/5613 https://github.com/mruby/mruby/commit/a137ef12f981b517f1e6b64e39edc7ac15d7e1eb https://github.com/mruby/mruby/commit/d3b7601af96c9e0eeba4c89359289661c755a74a CVE-2022-0240[1]: | mruby is vulnerable to NULL Pointer Dereference https://huntr.dev/bounties/5857eced-aad9-417d-864e-0bdf17226cbb/ https://github.com/mruby/mruby/commit/31fa3304049fc406a201a72293cce140f0557dca CVE-2022-0481[2]: | NULL Pointer Dereference in Homebrew mruby prior to 3.2. https://huntr.dev/bounties/54725c8c-87f4-41b6-878c-01d8e0ee7027 https://github.com/mruby/mruby/commit/ae3c99767a27f5c6c584162e2adc6a5d0eb2c54e CVE-2022-0890[3]: | NULL Pointer Dereference in GitHub repository mruby/mruby prior to | 3.2. https://huntr.dev/bounties/68e09ec1-6cc7-48b8-981d-30f478c70276/ https://github.com/mruby/mruby/commit/da48e7dbb20024c198493b8724adae1b842083aa CVE-2022-1071[4]: | User after free in mrb_vm_exec in GitHub repository mruby/mruby prior | to 3.2. https://huntr.dev/bounties/6597ece9-07af-415b-809b-919ce0a17cf3 https://github.com/mruby/mruby/commit/aaa28a508903041dd7399d4159a8ace9766b022f CVE-2022-1427[5]: | Out-of-bounds Read in mrb_obj_is_kind_of in in GitHub repository | mruby/mruby prior to 3.2. # Impact: Possible arbitrary code execution | if being exploited. https://huntr.dev/bounties/23b6f0a9-64f5-421e-a55f-b5b7a671f301 https://github.com/mruby/mruby/commit/a4d97934d51cb88954cc49161dc1d151f64afb6b CVE-2022-1201[6]: | NULL Pointer Dereference in mrb_vm_exec with super in GitHub | repository mruby/mruby prior to 3.2. This vulnerability is capable of | making the mruby interpreter crash, thus affecting the availability of | the system. https://huntr.dev/bounties/6f930add-c9d8-4870-ae56-d4bd8354703b https://github.com/mruby/mruby/commit/00acae117da1b45b318dc36531a7b0021b8097ae If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-46020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46020 [1] https://security-tracker.debian.org/tracker/CVE-2022-0240 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0240 [2] https://security-tracker.debian.org/tracker/CVE-2022-0481 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0481 [3] https://security-tracker.debian.org/tracker/CVE-2022-0890 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0890 [4] https://security-tracker.debian.org/tracker/CVE-2022-1071 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1071 [5] https://security-tracker.debian.org/tracker/CVE-2022-1427 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1427 [6] https://security-tracker.debian.org/tracker/CVE-2022-1201 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1201 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: mruby Source-Version: 3.1.0-1 Done: Nobuhiro Iwamatsu <iwama...@debian.org> We believe that the bug you reported is fixed in the latest version of mruby, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1014...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nobuhiro Iwamatsu <iwama...@debian.org> (supplier of updated mruby package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 08 Aug 2022 11:39:09 +0900 Source: mruby Architecture: source Version: 3.1.0-1 Distribution: unstable Urgency: medium Maintainer: Nobuhiro Iwamatsu <iwama...@debian.org> Changed-By: Nobuhiro Iwamatsu <iwama...@debian.org> Closes: 1014968 Changes: mruby (3.1.0-1) unstable; urgency=medium . * New upstream release. * Fix CVE-2021-46020, CVE-2022-0240, CVE-2022-0481, CVE-2022-0890, CVE-2022-1071, CVE-2022-1427, CVE-2022-1201. (Closes: #1014968) Checksums-Sha1: 8c4277ef05c3aad2155e6d3e394dbe13e4576eb3 1899 mruby_3.1.0-1.dsc d3e0a08b2034ef730fea9aa4fec82916e52d735b 741088 mruby_3.1.0.orig.tar.gz 11f7afe77a49e4e615498ff69653ffaaf9884ef9 7052 mruby_3.1.0-1.debian.tar.xz 5a3c14c80079653aa93cb82d93c5f23c48b6950f 6808 mruby_3.1.0-1_amd64.buildinfo Checksums-Sha256: 418eb4cb7ba8734efce104494019a617fb84f6e6eee228e4480a2932ad288a1f 1899 mruby_3.1.0-1.dsc 64ce0a967028a1a913d3dfc8d3f33b295332ab73be6f68e96d0f675f18c79ca8 741088 mruby_3.1.0.orig.tar.gz 9458a6fca78c62cb9041746225dd6ec7cc3849990435870c5f4e1292caaeb38e 7052 mruby_3.1.0-1.debian.tar.xz b5602ec79b0f58f4643527438c0247d91b30e2ea9d8e3e99e6924edce210e5a3 6808 mruby_3.1.0-1_amd64.buildinfo Files: 7d7063c79acc8e20fc55f02dafe4bd00 1899 ruby optional mruby_3.1.0-1.dsc d20d2ca1cf5638c40ea90ace6f76b43d 741088 ruby optional mruby_3.1.0.orig.tar.gz 82f5a4a248144d0fa5252ded90ae4019 7052 ruby optional mruby_3.1.0-1.debian.tar.xz 9040bd2ca216d432bc58b8e1818aff2b 6808 ruby optional mruby_3.1.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAmOaL3wACgkQMiR/u0Ct H6bwZA/9F/bweo5ayme+n+aNDoNFkupEh+F3r3ODKwGc7AM4gaBUW9Klgu44MMcC CVUDor40iqhOTEuqwmVVfa/JlY3w2/ormsGcMNheaLXJ2BqFOmFi+0ZFoR89rc09 hWGdt1C9+i9e46fBCGxteJVEiu2wNzi6sVnu8w5mN4MM6sx4WKYWSAXLFE5w8MCL LscNUkigThmvq4+XS+SJhj36C2DT1KP1d9wQqI2GqPFAGUoQqQD7QiJkuO+6IqKG D1MQPn4BU1nnUsuuXzKVNhXoqbxpEX6Rr+KiNbwIQMWa2VqYBas7l9pXuP2gJWte STQdSsozxe1v9nxIKethR77MXwAPcr6oG4wD/GyC85BheB9kIbyvivsMwtXRHa8L YMLRKF/VRAzJfcU2/FtOd0ETMm8dLQtkg9Gdi/x+130HJAqnCJJkktrQSANQrZ3+ 7pE/EpF7qXxHsCUjB/OKqdOM7g2vT9Pe71kdcL8TztGA550wKtumf36TP9g4gzWY f1bxbMPumIGKPBeiVcSaVlxiMro5qeVgtpYOpuTQf8U8SmRgqc4KR9QsglmWV9gS lgcAetQRoOYQzVqkoHxlLaRr4XFRNfXRQR4RaPgGzLS0OWik2OP6tvd1eyrAP0QW 10T6e95++K9nMeqPH7SdHt9jpxhYbl/7/Dkhn5pCKHcCZLiQ48A= =N2E8 -----END PGP SIGNATURE-----
--- End Message ---
