Bug#689075: CVE-2011-1005: safe level bypass

2012-10-03 Thread Tyler Hicks
On 2012-10-01 11:04:30, Tyler Hicks wrote: > I'll be sure to update this bug when they've applied the fix upstream. Ok, the fix is public: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37068 It ended up being more complicated than I initially thought.

Bug#689075: CVE-2011-1005: safe level bypass

2012-10-01 Thread Tyler Hicks
On 2012-09-30 17:47:30, Antonio Terceiro wrote: > Thanks for submitting this. Did you notify upstream of the fact that the > 1.9 series is actually affected by this issue? Yes, right after I filed this bug. After speaking with upstream, they will be applying a slightly different fix. You probably

Bug#689075: CVE-2011-1005: safe level bypass

2012-09-28 Thread Tyler Hicks
Package: ruby1.9.1 Version: 1.9.3.194-1 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu quantal ubuntu-patch Dear Maintainer, While running some regression tests I discovered that 1.9.3.194-1 is vulnerable to CVE-2

Bug#687672: xmlrpc-c: Embedded Expat vulnerable to CVE-2012-0876, CVE-2012-1148

2012-09-14 Thread Tyler Hicks
Package: xmlrpc-c Version: 1.06.27-1 Followup-For: Bug #687672 User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu quantal ubuntu-patch I've also backported the same changes to 1.06.27-1 for our Lucid xmlrpc-c package. It looks to apply cleanly to the Squeeze package. Here's the changelog:

Bug#687672: xmlrpc-c: Embedded Expat vulnerable to CVE-2012-0876, CVE-2012-1148

2012-09-14 Thread Tyler Hicks
Package: xmlrpc-c Version: 1.16.33-3.1 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu quantal ubuntu-patch Dear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * Run the tests as

Bug#652996: [Secure-testing-team] Bug#652996: t1lib: CVE-2011-0764

2011-12-22 Thread Tyler Hicks
On 2011-12-22 12:35:42, Michael Gilbert wrote: > Hi, > > Thanks for sending the patch this way. No problem! > Do you have any idea how this CVE relates to CVE-2011-1552 through > CVE-2011-1554 [0]? According to mitre's description they are all > "different vulnerability than CVE-2011-0764", but

Bug#652996: t1lib: CVE-2011-0764

2011-12-22 Thread Tyler Hicks
Package: t1lib Version: 5.1.2-3 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu precise ubuntu-patch http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764 *** /tmp/tmpP7Dzmm In Ubuntu, the attached patch was