Your message dated Sat, 25 Mar 2023 22:49:26 +0000 with message-id <e1pgchs-002f6r...@fasolo.debian.org> and subject line Bug#1030050: fixed in rails 2:6.1.7.3+dfsg-1 has caused the Debian Bug report #1030050, regarding rails: CVE-2023-22796 CVE-2023-22795 CVE-2023-22794 CVE-2023-22792 CVE-2022-44566 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1030050: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: rails X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for rails. CVE-2023-22796[0]: https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116 https://github.com/rails/rails/commit/4b383e6936d7a72b5dc839f526c9a9aeb280acae (6-1-stable) CVE-2023-22795[1]: https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118 https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2 (6-1-stable) CVE-2023-22794[2]: https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117 https://github.com/rails/rails/commit/048e9fc05e18c91838a44e60175e475de8b2aad5 (6-1-stable) CVE-2023-22792[3]: https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115 https://github.com/rails/rails/commit/7a7f37f146aa977350cf914eba20a95ce371485f (6-1-stable) CVE-2022-44566[4]: https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119 https://github.com/rails/rails/commit/414eb337d142a9c61d7723ceb9b7c1ab30dff3ed (6-1-stable) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22796 https://www.cve.org/CVERecord?id=CVE-2023-22796 [1] https://security-tracker.debian.org/tracker/CVE-2023-22795 https://www.cve.org/CVERecord?id=CVE-2023-22795 [2] https://security-tracker.debian.org/tracker/CVE-2023-22794 https://www.cve.org/CVERecord?id=CVE-2023-22794 [3] https://security-tracker.debian.org/tracker/CVE-2023-22792 https://www.cve.org/CVERecord?id=CVE-2023-22792 [4] https://security-tracker.debian.org/tracker/CVE-2022-44566 https://www.cve.org/CVERecord?id=CVE-2022-44566 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: rails Source-Version: 2:6.1.7.3+dfsg-1 Done: Lucas Nussbaum <lu...@debian.org> We believe that the bug you reported is fixed in the latest version of rails, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1030...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Lucas Nussbaum <lu...@debian.org> (supplier of updated rails package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 25 Mar 2023 23:39:22 +0100 Source: rails Architecture: source Version: 2:6.1.7.3+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Lucas Nussbaum <lu...@debian.org> Closes: 1030050 Changes: rails (2:6.1.7.3+dfsg-1) unstable; urgency=medium . * Team upload. * New upstream version 6.1.7.3+dfsg. Closes: #1030050. + This is a security-only release from a rails stable branch. Upstream changelogs: https://github.com/rails/rails/releases/tag/v6.1.7.1 https://github.com/rails/rails/releases/tag/v6.1.7.2 https://github.com/rails/rails/releases/tag/v6.1.7.3 Fixed CVEs: CVE-2023-22796 CVE-2023-22794 CVE-2022-44566 CVE-2023-22795 CVE-2023-22792 CVE-2023-28120 CVE-2023-23913 + All reverse dependencies and build-dependencies have been tested using the ruby team's tooling. No regressions were found. Checksums-Sha1: 8b1fec3172b1a796768b3b69fc0ea3d46dc2f18a 4809 rails_6.1.7.3+dfsg-1.dsc 4344f8646f875477e4f0e36b6f9276b50fa4b677 8177740 rails_6.1.7.3+dfsg.orig.tar.xz 9b253cdc7f04c04034964c60fa16d29f22f7b8bd 102716 rails_6.1.7.3+dfsg-1.debian.tar.xz 1b528dfe6b29391c920ab3a2c3957fbe6ef54c64 14315 rails_6.1.7.3+dfsg-1_source.buildinfo Checksums-Sha256: 31c6dea4bbbdaa270502e859717ac897ad2d5db981888301bb99ce47f06f1170 4809 rails_6.1.7.3+dfsg-1.dsc ac36866249e06c1cf590e6be38801f520a6a7aaa82f5283c4719c014909a892b 8177740 rails_6.1.7.3+dfsg.orig.tar.xz 0b11e7ea6e4ad42676c31af2642c0b4fd2b2bbd71c1d300d6496ad8ecbcf19e0 102716 rails_6.1.7.3+dfsg-1.debian.tar.xz 53bfaf43c4c370c8cd2799843081625edc242286ab7040b0f70942f8aa15dc4e 14315 rails_6.1.7.3+dfsg-1_source.buildinfo Files: 4ec6600ba739c737fb9b7fae93421c4b 4809 ruby optional rails_6.1.7.3+dfsg-1.dsc b5a032ba11b760cace82a232db399fa0 8177740 ruby optional rails_6.1.7.3+dfsg.orig.tar.xz 4c1fa97a02e4cab01c4da54998dd9cec 102716 ruby optional rails_6.1.7.3+dfsg-1.debian.tar.xz 5035af5d3aaea8e9f10f1a6e79674492 14315 ruby optional rails_6.1.7.3+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/t7ByzN7z1CfQ8IkORS1MvTfvpkFAmQfeFkACgkQORS1MvTf vpnObhAAlpVktZCnA55m9slsEIKAI4ZXGAZO/UGG7S15Nbh5hOTfWeFOvHhF2QzD kwuAAhHPduCmNLIoD265OMwVZWslElgqH5h5gu6sa9BBHzGHfLyt5udN5i+8VGbv x8hIaWuEBP5bcWVjVLtTrcZSo+cJ+yB2WpB931jlrRA6RS+OKAcS7kOMWyrSWr5n yegyFxLXNmYnYM0k67vuqdpAbvxRLwQEB6WFaTF+vylh2NQDi59TT0pOtaB8C66e cl6L2oK6BHbQ3+q3U+oE9lDuQYRMuK8C1KUFZ4xpFwtScgh+7xn+FmP+ZISB+0K7 muwFQOKWD7bCrEoLS9CO92KeTiXcdYiVVmPF2c1Oxz7eBZotwPay1mdWD3QX+lY0 hegGuDqNBGgLctPbag/PkHj7fhc7jkSk7277RQ13EO5ISFjapkrRFEXrT26odTQX PtMga3hYUDw1VsVz9ibn+dP6l9Rlb6rOzpd+jULBNL/VU+ZxzLk5Q7AGxI1f79z6 hWTNuA1rGf0U00F2wsrI0hf9zk8wk0NsUDgcNu1VwklDoeB8hRzR7g6QJUByGJlq 34mGwz5EQMIl8QG9Py5BuQN4dm8hnT3YzR3VuSPv4LgIAlMIWuqtv/dd2iR0ryVh sd2szGNQECYTemUpmT/AO2P2b7YFyNeRGZYKZvXDM+c8qltapiw= =cVjJ -----END PGP SIGNATURE-----
--- End Message ---
