Your message dated Tue, 16 Jun 2026 19:51:19 +0000
with message-id <[email protected]>
and subject line Bug#1137212: fixed in ruby-faraday 2.14.3-1
has caused the Debian Bug report #1137212,
regarding ruby-faraday: CVE-2026-33637
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137212: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137212
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-faraday
Version: 2.14.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-faraday.
CVE-2026-33637[0]:
| Faraday is an HTTP client library abstraction layer that provides a
| common interface over many adapters. Versions 2.0.0 through 2.14.1
| still allow protocol-relative host override when the request target
| is passed as a URI object (rather than a String) to
| Faraday::Connection#build_exclusive_url. This bypasses the February
| 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request
| forgery: a request built from a fixed-base Faraday::Connection can
| be redirected to an attacker-controlled host, forwarding connection-
| scoped values such as Authorization headers and default query
| parameters. This issue has been fixed in version 2.14.3.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33637
https://www.cve.org/CVERecord?id=CVE-2026-33637
[1]
https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-faraday
Source-Version: 2.14.3-1
Done: Simon Quigley <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-faraday, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Quigley <[email protected]> (supplier of updated ruby-faraday package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Jun 2026 14:39:08 -0500
Source: ruby-faraday
Architecture: source
Version: 2.14.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Simon Quigley <[email protected]>
Closes: 1137212
Changes:
ruby-faraday (2.14.3-1) unstable; urgency=medium
.
* Team upload.
* Upgrade the watch file to version 5.
* New upstream release.
- Fixes CVE-2026-33637 (Closes: #1137212).
* Update Standards-Version to 4.7.4.
* Bump debhelper-compat to 14, dropping ${misc:Depends},
${shlibs:Depends}, and ${ruby:Depends} from runtime dependencies.
Checksums-Sha1:
eec3d8cc351c910d8f109165b949161628445f88 2273 ruby-faraday_2.14.3-1.dsc
6727fa6902c20897b9331b273f934b1a0545635d 1039563
ruby-faraday_2.14.3.orig.tar.gz
66bf8a74520bf1cdfc1a6eb32a9ad14137abbdd4 5716
ruby-faraday_2.14.3-1.debian.tar.xz
604448108665a987507fb104fbb555961772a9df 8306
ruby-faraday_2.14.3-1_source.buildinfo
Checksums-Sha256:
a8c1faae70cd610505b7040f699244b49c0c1689c0de9d3522b169b79cfeaf7e 2273
ruby-faraday_2.14.3-1.dsc
aeb5db36f15e8d7061399040356c1eb7c9b5c8cd6538a51e243965ea8cad16bd 1039563
ruby-faraday_2.14.3.orig.tar.gz
dfa9f72099d14c6ff0f3fc560a8d43039a702543d408399158ab027f3bf9e8fc 5716
ruby-faraday_2.14.3-1.debian.tar.xz
13c4fcbbcc37623348f48961980674b01c054f5f524d4d2cabb9cb5667d83730 8306
ruby-faraday_2.14.3-1_source.buildinfo
Files:
306e24b1163748009075ded59c9a5d2c 2273 ruby optional ruby-faraday_2.14.3-1.dsc
878dd89fd1132b2bac129a2439800828 1039563 ruby optional
ruby-faraday_2.14.3.orig.tar.gz
57de098cbd23edeb7274b31679bb0ed3 5716 ruby optional
ruby-faraday_2.14.3-1.debian.tar.xz
33600885091053f5f2c70f782822ef6c 8306 ruby optional
ruby-faraday_2.14.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXHq+og+GMEWcyMi14n8s+EWML6QFAmoxpo0ACgkQ4n8s+EWM
L6Q6dBAAqcSZ4w2sbo8UkjWadpYhCR8SM/J7SKm9QGtFyJ8Ruo35b6cFIntkLxGV
HNtxmktTnvuf0vwLg1joCksb2EScqBYWg11UtU6th9vTi3EIQ3ycKuoCces805zU
qi08AJK2EU5Q2+FdDMjtxVWc3GcNo9teVFHQQaoL3jv+R5qcRUvBsi86p7keToa+
WC6EfdQH20H1IZG2Euo+/cYn0nrFporNBJbP5GxVy+XFFebewjJZ3/Hcb+U/EA6A
lhcNOn/PC46ZNbqIGLwj3jIikY5TjSuW4yU+CP8lvtYNGGQRGX+RDXEmwC/B7xqy
wkHoUuY2Zv8uRrdWni6oK1jWftGejPeL4F3hi+X4iAcxQ1AcAnCBxdvlfAqgqUke
taeRj1EWA0RHpjr4Q/f+l5aAyscsQHP8krQqLT698oc1PEjMVVSb6YQ0ASspBMtU
NGKvviGgB+MTeJmbJsMDNaVer/WZ29jGhmCPme6j8RyRuiJGUl1O1isvAPEmUl3J
gd/+GFruaVUW4pu8qPDyeDuTzWmejMKseiAgWhVlCGIiuOKbmqPhnt2t5lZY1P77
UzX7v1S54Sr8HeLeY9FoIZtqg6lWOQp63Y4T4Ln7JNzY2jaT1+zBZggVOsod7UHz
NFgud9XQzbe6Bz/bYNV0/gllmNx8PTY2XIeXABo7qlaEcwUCkbM=
=EHWg
-----END PGP SIGNATURE-----
pgpbmINl0qipO.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
