Your message dated Sat, 28 Oct 2023 20:34:22 +0000 with message-id <e1qwq0k-000zqr...@fasolo.debian.org> and subject line Bug#1029832: fixed in ruby-rack 2.1.4-3+deb11u1 has caused the Debian Bug report #1029832, regarding ruby-rack: CVE-2022-44570 CVE-2022-44571 CVE-2022-44572 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1029832: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-rack Version: 2.2.4-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for ruby-rack. CVE-2022-44570[0]: | rack: Fix ReDoS in Rack::Utils.get_byte_ranges CVE-2022-44571[1]: | rack: Fix ReDoS vulnerability in multipart parser CVE-2022-44572[2]: | rack: Forbid control characters in attributes If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-44570 https://www.cve.org/CVERecord?id=CVE-2022-44570 [1] https://security-tracker.debian.org/tracker/CVE-2022-44571 https://www.cve.org/CVERecord?id=CVE-2022-44571 [2] https://security-tracker.debian.org/tracker/CVE-2022-44572 https://www.cve.org/CVERecord?id=CVE-2022-44572 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-rack Source-Version: 2.1.4-3+deb11u1 Done: Utkarsh Gupta <utka...@ubuntu.com> We believe that the bug you reported is fixed in the latest version of ruby-rack, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1029...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta <utka...@ubuntu.com> (supplier of updated ruby-rack package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 08 Jun 2023 03:22:23 +0530 Source: ruby-rack Architecture: source Version: 2.1.4-3+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Utkarsh Gupta <utka...@ubuntu.com> Closes: 1029832 1032803 1033264 Changes: ruby-rack (2.1.4-3+deb11u1) bullseye-security; urgency=high . * Add patch to restrict broken mime parsing. (Fixes: CVE-2022-30122) * Add patch to escape untrusted text when logging. (Fixes: CVE-2022-30123) * Add patch to fix ReDoS in Rack::Utils.get_byte_ranges. (Fixes: CVE-2022-44570) (Closes: #1029832) * Add patch to fix ReDoS vulnerability in multipart parser. (Fixes: CVE-2022-44571) (Closes: #1029832) * Add patch to forbid control characters in attributes. (Fixes: CVE-2022-44572) (Closes: #1029832) * Add patch to limit all multipart parts, not just files. (Fixes: CVE-2023-27530) (Closes: #1032803) * Add patch to avoid ReDoS problem. (Fixes: CVE-2023-27539) (Closes: #1033264) Checksums-Sha1: 49fbc941395ced63e99d5474d8be59971735fb87 2374 ruby-rack_2.1.4-3+deb11u1.dsc fb78585706dacc2ec7997b7c1af7d6320acd33c3 251772 ruby-rack_2.1.4.orig.tar.gz 1be2aae240d593288073b0e138f4797bc2e98613 13464 ruby-rack_2.1.4-3+deb11u1.debian.tar.xz 64ba149b02457e40f4a1c010d0de56ebfdef9a1b 14221 ruby-rack_2.1.4-3+deb11u1_source.buildinfo Checksums-Sha256: 3f4985975c0269374b81213ee5c2fc294fa7a626007da37da6b73ababf991837 2374 ruby-rack_2.1.4-3+deb11u1.dsc f0b67c0a585d34a135c1434ac2d0bdbb9611726afafc005d9da91a451b1a7855 251772 ruby-rack_2.1.4.orig.tar.gz cc9a90ed19608070ac73a40bbca2487624dae75ccf2a40516774cfd6edd6bfbb 13464 ruby-rack_2.1.4-3+deb11u1.debian.tar.xz 81519b74286087096b841974fda563e25b4f7956959d396d7dbaa7eb7243bd5f 14221 ruby-rack_2.1.4-3+deb11u1_source.buildinfo Files: 9922bbaf830cc1b43e178d39d3b74975 2374 ruby optional ruby-rack_2.1.4-3+deb11u1.dsc 92633b2d98f6caa2fdaebcd0b15eb42d 251772 ruby optional ruby-rack_2.1.4.orig.tar.gz 5b7cfa818c82f84500dc30937b12810a 13464 ruby optional ruby-rack_2.1.4-3+deb11u1.debian.tar.xz 14c58079f7553da2b8c026f026e9b8f6 14221 ruby optional ruby-rack_2.1.4-3+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmSJiXYTHHV0a2Fyc2hA dWJ1bnR1LmNvbQAKCRCCPpZ2BsNLlvSlD/4rNlI4bWzm96TtqKXPw0Yny/v8x22S Ac0TiCHmQZIRb0GM9OXye5XWsEQgn5yJ0vP0H1zr5YsJWGdQuGy1OdrfhkweILKU vGH5V5K2LnP6ooIa/JbHmqaR5Sw3K554NhUJopNfy5ttgltpOd/in7FNXQIk6VbK x0H84E8HcFE/2MwwmAdPwA/Up+o00r0YB8kEHD0ByKhk1gISsnxdrLQcNqVyRXSN NTatEZR22bvHSoEHNI+uqsYw862ZneDGZuWFHw9lEosoVnYy8BCvTHHepOuz+iJ7 q9jy1JISmkgTWxXaIIlE7pEiPWKtzqf1eR/dVUWmk4mRudO8FBOe4xp3PDdDq0u0 pKIOotgHDkP70r2sjEBtxCFqHjhH8jehT+tk8OdjrI2QPKWGc0+EU9zV71fwsTyn hUHGVeZJNfBaBVTv1cupMMY9C86sB1W8kSu/ZIobkmJp6MKswlMmx1QFf4MGhbqV FJzSCrNQdVV5JCQCI8WJppeLubje7JSiMmDY+Ku1gcGjS+ZTIat7qnK82IA9rXys WfXrS9UfhYczHEQ8pkYqQhzSQ071kP60jR74vntJKGplTPoginrSEWlTAI46VObf 99ZaAwVJvLudVhwXOghemn8VJ3SLCDeWDYrNX7VYidS7bk7C4AuqvOI4usWo12CQ gloeXfzv3OmWpg== =wzXn -----END PGP SIGNATURE-----
--- End Message ---
