Your message dated Fri, 10 Feb 2023 17:00:27 +0000
with message-id <e1pqwl9-000a9j...@fasolo.debian.org>
and subject line Bug#1029832: fixed in ruby-rack 2.2.4-3
has caused the Debian Bug report #1029832,
regarding ruby-rack: CVE-2022-44570 CVE-2022-44571 CVE-2022-44572
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1029832: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-rack
Version: 2.2.4-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for ruby-rack.
CVE-2022-44570[0]:
| rack: Fix ReDoS in Rack::Utils.get_byte_ranges
CVE-2022-44571[1]:
| rack: Fix ReDoS vulnerability in multipart parser
CVE-2022-44572[2]:
| rack: Forbid control characters in attributes
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-44570
https://www.cve.org/CVERecord?id=CVE-2022-44570
[1] https://security-tracker.debian.org/tracker/CVE-2022-44571
https://www.cve.org/CVERecord?id=CVE-2022-44571
[2] https://security-tracker.debian.org/tracker/CVE-2022-44572
https://www.cve.org/CVERecord?id=CVE-2022-44572
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-rack
Source-Version: 2.2.4-3
Done: Sruthi Chandran <s...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1029...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sruthi Chandran <s...@debian.org> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 09 Feb 2023 11:47:17 +0100
Source: ruby-rack
Architecture: source
Version: 2.2.4-3
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Sruthi Chandran <s...@debian.org>
Closes: 1029832 1030442
Changes:
ruby-rack (2.2.4-3) unstable; urgency=high
.
* Team upload
* Fix test failures (Closes: #1030442)
* Fix CVE-2022-44570 CVE-2022-44571 CVE-2022-44572 (Closes: #1029832)
* Add Breaks for ruby-sinatra
Checksums-Sha1:
3eca0143cdc2a7927a1bbffbc4732f230d4bdab3 2165 ruby-rack_2.2.4-3.dsc
3e11458f9841eb86ed9ff62264804290c00dce41 10484 ruby-rack_2.2.4-3.debian.tar.xz
cffc772f0b91805f3006c8068a23bf959ee15559 9194 ruby-rack_2.2.4-3_amd64.buildinfo
Checksums-Sha256:
82715d0642a28aac99f9b351b1e048ad879c954835b42dde88760dae052532b2 2165
ruby-rack_2.2.4-3.dsc
66ad16c0cd91e2317cce6a53944970544d7a2b47b0f159da7026c3782a551702 10484
ruby-rack_2.2.4-3.debian.tar.xz
680c842c82c4f8a13a84981a7bfffaea4b78c91f8078c60947f2e642ce8aaf43 9194
ruby-rack_2.2.4-3_amd64.buildinfo
Files:
a24601c50bd142ac78a66d3c2da4f8b1 2165 ruby optional ruby-rack_2.2.4-3.dsc
68e9e4fbe6d7f450dde64bf281a8bf9a 10484 ruby optional
ruby-rack_2.2.4-3.debian.tar.xz
185aad555768e8f9aeb9e818aa728623 9194 ruby optional
ruby-rack_2.2.4-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCAAdFiEEcd3Fxr6GmkZB13n+x+ob4VdN7V0FAmPmbJkACgkQx+ob4VdN
7V2J3gwAgfy72J26Eq5Esd93ikxX6SzeEwjvDQpT1CdycLYcQhW+EFHT6GA/Q6xp
TasN7sUQC4ho3IMq218bPunSXaVRU2gCQ/Pb7bqziS1NuRi9YwVnBcPg25sHD6+9
+XYOYebsH6FENlYpgWLiijqYL9Ysxrq9dZ9XA2xMUYwlYXTeRj1HRE+deZo3vu7I
3j3Ar/g9Xz0qe0r6fERdxA8sEemoQ9yWhV243AZL3i/JMBxZJER/BQLS8Wj79pES
9hpW4RmYF6uXjq+Y+V1D03+Y1Dwpyw33V8k0Ihq7YjxwY3JiU4CPodEmI5Ix0loY
9Kw6odqiaUJsT2sbvvMvgCeSb6tVZmnduUX85KUF707LwuaLNTdQ4GAKYAd+FfRl
bxKEFWKFiOp+Y1TKsHaPaqkzDM2qTeWKDUNUi6S0usJxkGkqPCPiz9LoBRDP5zqc
prk8HPywUajr3bGuzsRk51MvwGyKHDvWfWTSOtOEWJN/MxqLefn/rxvr8Y7BPeZ4
GlgfX+pK
=5OHE
-----END PGP SIGNATURE-----
--- End Message ---
