Re: [SECURITY] [DLA 3077-1] ruby-tzinfo security update
Hi Chris,
On Fri, Aug 19, 2022 at 10:00:28AM -0700, Chris Lamb wrote:
> Hi Emilio,
>
> > Could you please use the same template as everyone else? Not just for
> > consistency, but also to avoid breaking scripts that work on the announcements.
>
> Very happy to! But it very much looks like I'm using the same format that
> is generated in, for example, ./DLA-3077-1 within the security-tracker Git
> working tree. What am I missing?
>
> // Chris
>
>
> >> -------------------------------------------------------------------------
> >> Debian LTS Advisory DLA-3077-1 debian-lts@lists.debian.org
> >> https://www.debian.org/lts/security/ Chris Lamb
> >> August 18, 2022 https://wiki.debian.org/LTS
> >> -------------------------------------------------------------------------
> >>
> >> Package : ruby-tzinfo
> >> Version : 1.2.5-1+deb10u1
> >> CVE ID : CVE-2022-31163
> >>
> >> It was discovered that there was a potential directory traversal
> >> vulnerablilty in ruby-tzinfo, a timezone library for the Ruby
> >> programming language.
> >>
> >> For Debian 10 "Buster", this problem has been fixed in version
> >> 1.2.5-1+deb10u1.
>From what I can see this probably has been generated with a template
before commit 9656503867e7 ("DLA.template: normalize dist name") (but
it's strange as the suite name is not even replaced). Do you maybe
have a own copy of it?
Regards,
Salvatore
Reply to: