[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#771543: marked as done (unblock: ruby-rack-ssl/1.3.2-3)

Your message dated Sun, 30 Nov 2014 15:46:34 +0000
with message-id <1417362394.2472.24.camel@adam-barratt.org.uk>
and subject line Re: Bug#771543: unblock: ruby-rack-ssl/1.3.2-3
has caused the Debian Bug report #771543,
regarding unblock: ruby-rack-ssl/1.3.2-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
771543: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771543
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

ruby-rack-ssl 1.3.2-3 contains a backport of a security fix for
CVE-2014-2538 (BTS #742186).

Please unblock package ruby-rack-ssl. Debdiff attached.

Thanks,
Christian

unblock ruby-rack-ssl/1.3.2-3

diff -Nru ruby-rack-ssl-1.3.2/debian/changelog ruby-rack-ssl-1.3.2/debian/changelog
--- ruby-rack-ssl-1.3.2/debian/changelog	2014-03-29 18:06:59.000000000 +0100
+++ ruby-rack-ssl-1.3.2/debian/changelog	2014-11-30 15:28:01.000000000 +0100
@@ -1,3 +1,13 @@
+ruby-rack-ssl (1.3.2-4) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch to fix CVE-2014-2538. Our patch is based on
+    upstream 9d7d7300b907e496db68d89d07fbc2e0df0b487b.
+    (Closes: #742186)
+    Thanks to Moritz Muehlenhoff for the pointer.
+
+ -- Christian Hofstaedtler <zeha@debian.org>  Sun, 30 Nov 2014 15:24:17 +0100
+
 ruby-rack-ssl (1.3.2-3) unstable; urgency=medium
 
   * Add myself to Uploaders:
diff -Nru ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch
--- ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby-rack-ssl-1.3.2/debian/patches/0001-Handle-bad-URIs-gracefully.patch	2014-11-30 15:23:33.000000000 +0100
@@ -0,0 +1,27 @@
+From 9d7d7300b907e496db68d89d07fbc2e0df0b487b Mon Sep 17 00:00:00 2001
+From: Xavier Shay <xavier@squareup.com>
+Date: Tue, 9 Jul 2013 08:49:27 -0700
+Subject: [PATCH] Handle bad URIs gracefully.
+
+Some adapters (i.e. jruby-rack) will pass through bad URIs, then display
+the resulting exception. This creates an attack vector for XSS attacks.
+
+[Refreshed for 1.3.x, remove test as 1.3.x has no tests. -zeha@d.o.]
+---
+ lib/rack/ssl.rb  | 2 ++
+ test/test_ssl.rb | 8 ++++++++
+ 2 files changed, 10 insertions(+)
+
+Index: ruby-rack-ssl/lib/rack/ssl.rb
+===================================================================
+--- ruby-rack-ssl.orig/lib/rack/ssl.rb	2014-11-30 15:22:21.088079637 +0100
++++ ruby-rack-ssl/lib/rack/ssl.rb	2014-11-30 15:23:31.800007708 +0100
+@@ -54,6 +54,8 @@ module Rack
+                                         'Location'     => url.to_s)
+ 
+         [301, headers, []]
++      rescue URI::InvalidURIError
++        [404, {}, []]
+       end
+ 
+       # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
diff -Nru ruby-rack-ssl-1.3.2/debian/patches/series ruby-rack-ssl-1.3.2/debian/patches/series
--- ruby-rack-ssl-1.3.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ ruby-rack-ssl-1.3.2/debian/patches/series	2014-11-30 15:19:41.000000000 +0100
@@ -0,0 +1 @@
+0001-Handle-bad-URIs-gracefully.patch

--- End Message ---
--- Begin Message --- 
On Sun, 2014-11-30 at 16:33 +0100, Christian Hofstaedtler wrote:
> ruby-rack-ssl 1.3.2-3 contains a backport of a security fix for
> CVE-2014-2538 (BTS #742186).
> 
> Please unblock package ruby-rack-ssl. Debdiff attached.

Unblocked.

Regards,

Adam

--- End Message ---
Reply to: