[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#771543: unblock: ruby-rack-ssl/1.3.2-3

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

ruby-rack-ssl 1.3.2-3 contains a backport of a security fix for
CVE-2014-2538 (BTS #742186).

Please unblock package ruby-rack-ssl. Debdiff attached.

Thanks,
Christian

unblock ruby-rack-ssl/1.3.2-3

diff -Nru ruby-rack-ssl-1.3.2/debian/changelog ruby-rack-ssl-1.3.2/debian/changelog
--- ruby-rack-ssl-1.3.2/debian/changelog	2014-03-29 18:06:59.000000000 +0100
+++ ruby-rack-ssl-1.3.2/debian/changelog	2014-11-30 15:28:01.000000000 +0100
@@ -1,3 +1,13 @@
+ruby-rack-ssl (1.3.2-4) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch to fix CVE-2014-2538. Our patch is based on
+    upstream 9d7d7300b907e496db68d89d07fbc2e0df0b487b.
+    (Closes: #742186)
+    Thanks to Moritz Muehlenhoff for the pointer.
+
+ -- Christian Hofstaedtler <zeha@debian.org>  Sun, 30 Nov 2014 15:24:17 +0100
+
 ruby-rack-ssl (1.3.2-3) unstable; urgency=medium
 
   * Add myself to Uploaders:
diff -Nru ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch
--- ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch	2014-11-30 15:23:33.000000000 +0100
@@ -0,0 +1,27 @@
+From 9d7d7300b907e496db68d89d07fbc2e0df0b487b Mon Sep 17 00:00:00 2001
+From: Xavier Shay <xavier@squareup.com>
+Date: Tue, 9 Jul 2013 08:49:27 -0700
+Subject: [PATCH] Handle bad URIs gracefully.
+
+Some adapters (i.e. jruby-rack) will pass through bad URIs, then display
+the resulting exception. This creates an attack vector for XSS attacks.
+
+[Refreshed for 1.3.x, remove test as 1.3.x has no tests. -zeha@d.o.]
+---
+ lib/rack/ssl.rb  | 2 ++
+ test/test_ssl.rb | 8 ++++++++
+ 2 files changed, 10 insertions(+)
+
+Index: ruby-rack-ssl/lib/rack/ssl.rb
+===================================================================
+--- ruby-rack-ssl.orig/lib/rack/ssl.rb	2014-11-30 15:22:21.088079637 +0100
++++ ruby-rack-ssl/lib/rack/ssl.rb	2014-11-30 15:23:31.800007708 +0100
+@@ -54,6 +54,8 @@ module Rack
+                                         'Location'     => url.to_s)
+ 
+         [301, headers, []]
++      rescue URI::InvalidURIError
++        [404, {}, []]
+       end
+ 
+       # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
diff -Nru ruby-rack-ssl-1.3.2/debian/patches/series ruby-rack-ssl-1.3.2/debian/patches/series
--- ruby-rack-ssl-1.3.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ ruby-rack-ssl-1.3.2/debian/patches/series	2014-11-30 15:19:41.000000000 +0100
@@ -0,0 +1 @@
+0001-Handle-bad-URIs-gracefully.patch
Reply to: