Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby-actionpack-3.2 This version add a single patch that fixes a secutiry problem (CVE-2012-3424, #683370), and just uploaded to unstable. You will find a debdiff against the version currently in testing attached. unblock ruby-actionpack-3.2/3.2.6-3 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>
diff -Nru ruby-actionpack-3.2-3.2.6/debian/changelog ruby-actionpack-3.2-3.2.6/debian/changelog --- ruby-actionpack-3.2-3.2.6/debian/changelog 2012-06-24 19:07:35.000000000 -0300 +++ ruby-actionpack-3.2-3.2.6/debian/changelog 2012-08-04 09:29:24.000000000 -0300 @@ -1,3 +1,9 @@ +ruby-actionpack-3.2 (3.2.6-3) unstable; urgency=high + + * Add patch by Aaron Patterson for CVE-2012-3424 (Closes: #683370) + + -- Antonio Terceiro <terceiro@debian.org> Sat, 04 Aug 2012 09:28:12 -0300 + ruby-actionpack-3.2 (3.2.6-2) unstable; urgency=low * Bump build dependency to gem2deb >= 0.3.0~ diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3424.patch ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3424.patch --- ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3424.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3424.patch 2012-08-04 09:27:46.000000000 -0300 @@ -0,0 +1,22 @@ +Description: Do not convert digest auth strings to symbols. +Author: Aaron Patterson <aaron.patterson@gmail.com> + +--- + +Origin: upstream, https://github.com/rails/rails/commit/27311fef5efa598f281649074255834546d2b4ec +Forwarded: not-needed + +--- ruby-actionpack-3.2-3.2.6.orig/lib/action_controller/metal/http_authentication.rb ++++ ruby-actionpack-3.2-3.2.6/lib/action_controller/metal/http_authentication.rb +@@ -227,9 +227,9 @@ module ActionController + end + + def decode_credentials(header) +- Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair| ++ HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair| + key, value = pair.split('=', 2) +- [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').gsub(/'/, '')] ++ [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')] + end] + end + diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/series ruby-actionpack-3.2-3.2.6/debian/patches/series --- ruby-actionpack-3.2-3.2.6/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ ruby-actionpack-3.2-3.2.6/debian/patches/series 2012-08-04 09:26:26.000000000 -0300 @@ -0,0 +1 @@ +CVE-2012-3424.patch
Attachment:
signature.asc
Description: Digital signature