Your message dated Sat, 05 Sep 2015 14:31:07 +0100 with message-id <1441459867.2151.32.camel@adam-barratt.org.uk> and subject line Closing p-u bugs for 8.2 has caused the Debian Bug report #794090, regarding jessie-pu: package ruby2.1/2.1.5-2+deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 794090: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794090 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package ruby2.1/2.1.5-2+deb8u2
- From: Antonio Terceiro <terceiro@debian.org>
- Date: Thu, 30 Jul 2015 09:06:10 -0300
- Message-id: <20150730120610.GA24229@debian.org>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, I would like to upload the attached diff as a stable update for ruby2.1, fixing a minor security bug that didn't qualify for a DSA. Te following patches were cherry-picked from upstream: http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=9b945cadc3b157829a60debff1dd5c536644f9b2 http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=61f89c1e7b7ac864d840686aa7824eb04cba5cff -- System Information: Debian Release: stretch/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Antonio Terceiro <terceiro@debian.org>diff --git a/debian/changelog b/debian/changelog index 933e6ab..13a9637 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high + + * Apply upstream patches to fix Request hijacking vulnerability in Rubygems + [CVE-2015-3900] (Closes: #790119) + + -- Antonio Terceiro <terceiro@debian.org> Wed, 29 Jul 2015 09:27:24 -0300 + ruby2.1 (2.1.5-2+deb8u1) jessie-security; urgency=high * Fix vulnerabiity with overly permissive matching of hostnames in OpenSSL diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb index 58991ca..ed2e171 100644 --- a/lib/rubygems/remote_fetcher.rb +++ b/lib/rubygems/remote_fetcher.rb @@ -90,7 +90,13 @@ class Gem::RemoteFetcher rescue Resolv::ResolvError uri else - URI.parse "#{uri.scheme}://#{res.target}#{uri.path}" + target = res.target.to_s.strip + + if /\.#{Regexp.quote(host)}\z/ =~ target + return URI.parse "#{uri.scheme}://#{target}#{uri.path}" + end + + uri end end diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb index 79f3a58..626797f 100644 --- a/test/rubygems/test_gem_remote_fetcher.rb +++ b/test/rubygems/test_gem_remote_fetcher.rb @@ -163,6 +163,21 @@ gems: end def test_api_endpoint + uri = URI.parse "http://example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "gems.example.com" + + dns = MiniTest::Mock.new + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns + assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify + end + + def test_api_endpoint_ignores_trans_domain_values uri = URI.parse "http://gems.example.com/foo" target = MiniTest::Mock.new target.expect :target, "blah.com" @@ -171,7 +186,37 @@ gems: dns.expect :getresource, target, [String, Object] fetch = Gem::RemoteFetcher.new nil, dns - assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri) + assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify + end + + def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original + uri = URI.parse "http://example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "example.combadguy.com" + + dns = MiniTest::Mock.new + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns + assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify + end + + def test_api_endpoint_ignores_trans_domain_values_that_end_with_original + uri = URI.parse "http://example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "badexample.com" + + dns = MiniTest::Mock.new + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns + assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) target.verify dns.verifyAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 782381-done@bugs.debian.org, 785573-done@bugs.debian.org, 785780-done@bugs.debian.org, 787067-done@bugs.debian.org, 787299-done@bugs.debian.org, 787478-done@bugs.debian.org, 787635-done@bugs.debian.org, 787642-done@bugs.debian.org, 787692-done@bugs.debian.org, 787806-done@bugs.debian.org, 787867-done@bugs.debian.org, 787904-done@bugs.debian.org, 787952-done@bugs.debian.org, 788054-done@bugs.debian.org, 788110-done@bugs.debian.org, 788241-done@bugs.debian.org, 788283-done@bugs.debian.org, 788531-done@bugs.debian.org, 788608-done@bugs.debian.org, 788612-done@bugs.debian.org, 788615-done@bugs.debian.org, 788665-done@bugs.debian.org, 788928-done@bugs.debian.org, 788938-done@bugs.debian.org, 789189-done@bugs.debian.org, 789393-done@bugs.debian.org, 789724-done@bugs.debian.org, 789786-done@bugs.debian.org, 790060-done@bugs.debian.org, 790245-done@bugs.debian.org, 790833-done@bugs.debian.org, 790939-done@bugs.debian.org, 791792-done@bugs.debian.org, 792369-done@bugs.debian.org, 792452-done@bugs.debian.org, 793020-done@bugs.debian.org, 793163-done@bugs.debian.org, 793430-done@bugs.debian.org, 793470-done@bugs.debian.org, 793688-done@bugs.debian.org, 794003-done@bugs.debian.org, 794090-done@bugs.debian.org, 794407-done@bugs.debian.org, 795165-done@bugs.debian.org, 795271-done@bugs.debian.org, 795491-done@bugs.debian.org, 795706-done@bugs.debian.org, 795794-done@bugs.debian.org, 795911-done@bugs.debian.org, 795947-done@bugs.debian.org, 796088-done@bugs.debian.org, 796112-done@bugs.debian.org, 796379-done@bugs.debian.org, 796573-done@bugs.debian.org, 796595-done@bugs.debian.org, 796846-done@bugs.debian.org, 796975-done@bugs.debian.org, 797083-done@bugs.debian.org, 797179-done@bugs.debian.org, 797201-done@bugs.debian.org, 797209-done@bugs.debian.org, 797246-done@bugs.debian.org, 797304-done@bugs.debian.org, 797328-done@bugs.debian.org
- Subject: Closing p-u bugs for 8.2
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 05 Sep 2015 14:31:07 +0100
- Message-id: <1441459867.2151.32.camel@adam-barratt.org.uk>
Version: 8.2 Hi, These bugs correspond to updates which were included in the 8.2 point release. Regards, Adam
--- End Message ---