Bug#805260: marked as done (jessie-pu: package ruby-bson/1.10.0-1+deb8u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#805260: marked as done (jessie-pu: package ruby-bson/1.10.0-1+deb8u1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 23 Jan 2016 14:04:16 +0000
Message-id: <[🔎] handler.805260.D805260.145355745926768.ackdone@bugs.debian.org>
References: <1453557435.1835.52.camel@adam-barratt.org.uk> <20151116035458.GA1926@bravo>

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805260,
regarding jessie-pu: package ruby-bson/1.10.0-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
805260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805260
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: jessie-pu: package ruby-bson/1.10.0-1+deb8u1
From: Prach Pongpanich <prach@debian.org>
Date: Mon, 16 Nov 2015 10:54:58 +0700
Message-id: <20151116035458.GA1926@bravo>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Please accept the fixes for CVE-2015-4410 in ruby-bson. I already discussed
with the security team (tagged as no-dsa).

Source debdiff attached.

 https://security-tracker.debian.org/CVE-2015-4410

Regards,
Prach

diff -Nru ruby-bson-1.10.0/debian/changelog ruby-bson-1.10.0/debian/changelog
--- ruby-bson-1.10.0/debian/changelog	2014-05-15 12:00:35.000000000 +0700
+++ ruby-bson-1.10.0/debian/changelog	2015-11-16 08:59:15.000000000 +0700
@@ -1,3 +1,9 @@
+ruby-bson (1.10.0-1+deb8u1) jessie; urgency=medium
+
+  * Fix CVE-2015-4410: DoS and possible injection (Closes: #787951)
+
+ -- Prach Pongpanich <prach@debian.org>  Mon, 16 Nov 2015 08:55:51 +0700
+
 ruby-bson (1.10.0-1) unstable; urgency=medium
 
   [ Cédric Boutillier ]
diff -Nru ruby-bson-1.10.0/debian/gbp.conf ruby-bson-1.10.0/debian/gbp.conf
--- ruby-bson-1.10.0/debian/gbp.conf	1970-01-01 07:00:00.000000000 +0700
+++ ruby-bson-1.10.0/debian/gbp.conf	2015-11-16 08:59:15.000000000 +0700
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/jessie
diff -Nru ruby-bson-1.10.0/debian/patches/series ruby-bson-1.10.0/debian/patches/series
--- ruby-bson-1.10.0/debian/patches/series	2014-05-15 12:00:35.000000000 +0700
+++ ruby-bson-1.10.0/debian/patches/series	2015-11-15 00:59:01.000000000 +0700
@@ -4,3 +4,4 @@
 #change_require_activesupport.patch
 #add_to_bson_code.patch
 remove_rubygems_from_bins.patch
+Update_BSON_ObjectId_validation.patch
diff -Nru ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch
--- ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch	1970-01-01 07:00:00.000000000 +0700
+++ ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch	2015-11-15 00:59:01.000000000 +0700
@@ -0,0 +1,18 @@
+From bb544c2f6fd62940f04ddc1abeeaa3f23c1a9ade Mon Sep 17 00:00:00 2001
+From: Emily Stolfo <emily@10gen.com>
+Date: Thu, 4 Jun 2015 11:19:36 -0400
+Subject: [PATCH] RUBY-941 Update BSON ObjectId validation
+
+diff --git a/lib/bson/types/object_id.rb b/lib/bson/types/object_id.rb
+index 5de7f66..6e44efa 100644
+--- a/lib/bson/types/object_id.rb
++++ b/lib/bson/types/object_id.rb
+@@ -51,7 +51,7 @@ def initialize(data=nil, time=nil)
+     #
+     # @return [Boolean]
+     def self.legal?(str)
+-      str =~ /^[0-9a-f]{24}$/i ? true : false
++      str =~ /\A[0-9a-f]{24}\z/i ? true : false
+     end
+ 
+     # Create an object id from the given time. This is useful for doing range

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: 783355-done@bugs.debian.org, 784944-done@bugs.debian.org, 787021-done@bugs.debian.org, 787423-done@bugs.debian.org, 791403-done@bugs.debian.org, 792468-done@bugs.debian.org, 792806-done@bugs.debian.org, 793556-done@bugs.debian.org, 794940-done@bugs.debian.org, 796281-done@bugs.debian.org, 797170-done@bugs.debian.org, 797710-done@bugs.debian.org, 798028-done@bugs.debian.org, 798584-done@bugs.debian.org, 798749-done@bugs.debian.org, 798889-done@bugs.debian.org, 798890-done@bugs.debian.org, 798891-done@bugs.debian.org, 798892-done@bugs.debian.org, 798893-done@bugs.debian.org, 798895-done@bugs.debian.org, 799033-done@bugs.debian.org, 799070-done@bugs.debian.org, 799229-done@bugs.debian.org, 799230-done@bugs.debian.org, 799369-done@bugs.debian.org, 799477-done@bugs.debian.org, 799758-done@bugs.debian.org, 799777-done@bugs.debian.org, 800006-done@bugs.debian.org, 800664-done@bugs.debian.org, 800793-done@bugs.debian.org, 800881-done@bugs.debian.org, 801095-done@bugs.debian.org, 801098-done@bugs.debian.org, 801100-done@bugs.debian.org, 801304-done@bugs.debian.org, 801318-done@bugs.debian.org, 801441-done@bugs.debian.org, 801580-done@bugs.debian.org, 801743-done@bugs.debian.org, 801851-done@bugs.debian.org, 801892-done@bugs.debian.org, 802851-done@bugs.debian.org, 802879-done@bugs.debian.org, 802900-done@bugs.debian.org, 802942-done@bugs.debian.org, 803362-done@bugs.debian.org, 803467-done@bugs.debian.org, 803490-done@bugs.debian.org, 803569-done@bugs.debian.org, 803678-done@bugs.debian.org, 803730-done@bugs.debian.org, 804157-done@bugs.debian.org, 804172-done@bugs.debian.org, 804208-done@bugs.debian.org, 804381-done@bugs.debian.org, 804383-done@bugs.debian.org, 804734-done@bugs.debian.org, 804885-done@bugs.debian.org, 805024-done@bugs.debian.org, 805127-done@bugs.debian.org, 805190-done@bugs.debian.org, 805214-done@bugs.debian.org, 805260-done@bugs.debian.org, 805293-done@bugs.debian.org, 805383-done@bugs.debian.org, 805634-done@bugs.debian.org, 805721-done@bugs.debian.org, 805894-done@bugs.debian.org, 806129-done@bugs.debian.org, 806165-done@bugs.debian.org, 806247-done@bugs.debian.org, 806252-done@bugs.debian.org, 806338-done@bugs.debian.org, 806529-done@bugs.debian.org, 806640-done@bugs.debian.org, 807129-done@bugs.debian.org, 807140-done@bugs.debian.org, 807142-done@bugs.debian.org, 807273-done@bugs.debian.org, 807280-done@bugs.debian.org, 807467-done@bugs.debian.org, 807489-done@bugs.debian.org, 807515-done@bugs.debian.org, 807576-done@bugs.debian.org, 807612-done@bugs.debian.org, 807828-done@bugs.debian.org, 807917-done@bugs.debian.org, 808559-done@bugs.debian.org, 808890-done@bugs.debian.org, 809200-done@bugs.debian.org, 809255-done@bugs.debian.org, 809258-done@bugs.debian.org, 809307-done@bugs.debian.org, 809534-done@bugs.debian.org, 809561-done@bugs.debian.org, 809688-done@bugs.debian.org, 809757-done@bugs.debian.org, 809824-done@bugs.debian.org, 810004-done@bugs.debian.org, 810111-done@bugs.debian.org, 810130-done@bugs.debian.org, 810542-done@bugs.debian.org, 810760-done@bugs.debian.org, 810887-done@bugs.debian.org, 811132-done@bugs.debian.org, 811320-done@bugs.debian.org, 792779-done@bugs.debian.org

Subject: 8.3 point release cleanup

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 23 Jan 2016 13:57:15 +0000

Message-id: <1453557435.1835.52.camel@adam-barratt.org.uk>
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#805214: marked as done (jessie-pu: package libhtml-scrubber-perl/0.11-1)
Next by Date: Bug#805383: marked as done (jessie-pu: package shadow/1:4.2-3+deb8u1)
Previous by thread: Bug#805214: marked as done (jessie-pu: package libhtml-scrubber-perl/0.11-1)
Next by thread: Bug#805383: marked as done (jessie-pu: package shadow/1:4.2-3+deb8u1)
Index(es):
- Date
- Thread