Your message dated Sat, 18 Mar 2023 08:22:52 +0000 with message-id <e1pdrq0-003diz...@fasolo.debian.org> and subject line Bug#1010667: fixed in ruby-xmlhash 1.3.6-3.1 has caused the Debian Bug report #1010667, regarding ruby-xmlhash: CVE-2022-21949 - Improper Restriction of XML External Entity Reference to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010667 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-xmlhash Version: 1.3.6-2 Severity: important Tags: security X-Debbugs-Cc: codeh...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for ruby-xmlhash. CVE-2022-21949[0]: | A Improper Restriction of XML External Entity Reference vulnerability | in SUSE Open Build Service allows remote attackers to reference | external entities in certain operations. This can be used to gain | information from the server that can be abused to escalate to Admin | privileges on OBS. This issue affects: SUSE Open Build Service Open | Build Service versions prior to 2.10.13. The vulnerable code is in https://github.com/coolo/xmlhash and is fixed in version 1.3.8 of ruby-xmlhash. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-21949 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21949 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: ruby-xmlhash Source-Version: 1.3.6-3.1 Done: Adrian Bunk <b...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-xmlhash, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <b...@debian.org> (supplier of updated ruby-xmlhash package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 16 Mar 2023 17:28:19 +0200 Source: ruby-xmlhash Architecture: source Version: 1.3.6-3.1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Adrian Bunk <b...@debian.org> Closes: 1010667 Changes: ruby-xmlhash (1.3.6-3.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2022-21949: Improper Restriction of XML External Entity Reference (Closes: #1010667) Checksums-Sha1: cb8bfb875e4e5085e267948e51c6d5c1c4bc7481 2054 ruby-xmlhash_1.3.6-3.1.dsc cc0147d89ef4acad47625cd88dc25eb29cd6e447 3264 ruby-xmlhash_1.3.6-3.1.debian.tar.xz Checksums-Sha256: ed1c20e2cfd41b3da074d450aa78d626380ba1ffcd42fbc35d7a3fe68a58efe8 2054 ruby-xmlhash_1.3.6-3.1.dsc 79eb5a82d4edf57e9fb82c6accfe1e2bbeb4e4b504d7b57c1ef376de6476ef84 3264 ruby-xmlhash_1.3.6-3.1.debian.tar.xz Files: ab760ca3cab32900b9abeffdd4b40b03 2054 ruby optional ruby-xmlhash_1.3.6-3.1.dsc 92b3e30fa20744c6586af50446c581c6 3264 ruby optional ruby-xmlhash_1.3.6-3.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmQTNvUACgkQiNJCh6LY mLGlsg/+IsFjlxs3fecgxzfV/0NDtnAj4IAEWqXOLw/eXHFGO1aY0DWQBYiC6xtq wUkqI/LJGgqLpE0APqbqLqQVxL6ZuihiVw11LThOTrOkKvbqLe9rfewJR4AqC5AT pEsSuxq8whWZC0909WcmlsnbUEV6uBBkGFfb95r7nJGp+/8MQeb23dQnsdg3DFf3 B2bbRSSaWHidCadrwUXW163B9PvVLTbIcCj0ltU7K/jArFNUZ4G/a43DqW4fZftA de3KZFtzYyUUGL3zE3CiGnx842MA9wihX8tbY/o5x4BQ4Gv4yUPITT7MaMAX2qEZ pBoIphgDHi/NDvul5fMAkisMSuNlp9oN93/IOxgu0HSun+NTR3d/nYljdNf3XKhd +KEt6/TRVpTTQZwN1UYxiawWfpp1YCt275CGjj3nklumyunX3UKN53R1SAfmIdhN eRcQ1jLbvsbLwW02PPrk4mdrrlER3SGDaFijjCSHlZXBUpaa7MyldfYHjJUjn/1X vDl3EiTpq3RD4Lg61+OIVoH/KtneyXjGxRhiKYyLWezLfa4Zp473otHQN8/PH0yO T1Vz8Wb5UkjXjj8wxE/FYDtA4OJMZpHpCHRnUe/iyWCQea9WzxYiFo3jbVW0JXgH REC7NnP4f1TOlTQ0lfZJEesD/CBlTCTuHI+Ga/xOPDA93vwc7qk= =YsFF -----END PGP SIGNATURE-----
--- End Message ---
