Your message dated Sat, 23 Jan 2016 13:57:15 +0000 with message-id <1453557435.1835.52.camel@adam-barratt.org.uk> and subject line 8.3 point release cleanup has caused the Debian Bug report #805260, regarding jessie-pu: package ruby-bson/1.10.0-1+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 805260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805260 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: jessie-pu: package ruby-bson/1.10.0-1+deb8u1
- From: Prach Pongpanich <prach@debian.org>
- Date: Mon, 16 Nov 2015 10:54:58 +0700
- Message-id: <20151116035458.GA1926@bravo>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, Please accept the fixes for CVE-2015-4410 in ruby-bson. I already discussed with the security team (tagged as no-dsa). Source debdiff attached. https://security-tracker.debian.org/CVE-2015-4410 Regards, Prachdiff -Nru ruby-bson-1.10.0/debian/changelog ruby-bson-1.10.0/debian/changelog --- ruby-bson-1.10.0/debian/changelog 2014-05-15 12:00:35.000000000 +0700 +++ ruby-bson-1.10.0/debian/changelog 2015-11-16 08:59:15.000000000 +0700 @@ -1,3 +1,9 @@ +ruby-bson (1.10.0-1+deb8u1) jessie; urgency=medium + + * Fix CVE-2015-4410: DoS and possible injection (Closes: #787951) + + -- Prach Pongpanich <prach@debian.org> Mon, 16 Nov 2015 08:55:51 +0700 + ruby-bson (1.10.0-1) unstable; urgency=medium [ Cédric Boutillier ] diff -Nru ruby-bson-1.10.0/debian/gbp.conf ruby-bson-1.10.0/debian/gbp.conf --- ruby-bson-1.10.0/debian/gbp.conf 1970-01-01 07:00:00.000000000 +0700 +++ ruby-bson-1.10.0/debian/gbp.conf 2015-11-16 08:59:15.000000000 +0700 @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = debian/jessie diff -Nru ruby-bson-1.10.0/debian/patches/series ruby-bson-1.10.0/debian/patches/series --- ruby-bson-1.10.0/debian/patches/series 2014-05-15 12:00:35.000000000 +0700 +++ ruby-bson-1.10.0/debian/patches/series 2015-11-15 00:59:01.000000000 +0700 @@ -4,3 +4,4 @@ #change_require_activesupport.patch #add_to_bson_code.patch remove_rubygems_from_bins.patch +Update_BSON_ObjectId_validation.patch diff -Nru ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch --- ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch 1970-01-01 07:00:00.000000000 +0700 +++ ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch 2015-11-15 00:59:01.000000000 +0700 @@ -0,0 +1,18 @@ +From bb544c2f6fd62940f04ddc1abeeaa3f23c1a9ade Mon Sep 17 00:00:00 2001 +From: Emily Stolfo <emily@10gen.com> +Date: Thu, 4 Jun 2015 11:19:36 -0400 +Subject: [PATCH] RUBY-941 Update BSON ObjectId validation + +diff --git a/lib/bson/types/object_id.rb b/lib/bson/types/object_id.rb +index 5de7f66..6e44efa 100644 +--- a/lib/bson/types/object_id.rb ++++ b/lib/bson/types/object_id.rb +@@ -51,7 +51,7 @@ def initialize(data=nil, time=nil) + # + # @return [Boolean] + def self.legal?(str) +- str =~ /^[0-9a-f]{24}$/i ? true : false ++ str =~ /\A[0-9a-f]{24}\z/i ? true : false + end + + # Create an object id from the given time. This is useful for doing rangeAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 783355-done@bugs.debian.org, 784944-done@bugs.debian.org, 787021-done@bugs.debian.org, 787423-done@bugs.debian.org, 791403-done@bugs.debian.org, 792468-done@bugs.debian.org, 792806-done@bugs.debian.org, 793556-done@bugs.debian.org, 794940-done@bugs.debian.org, 796281-done@bugs.debian.org, 797170-done@bugs.debian.org, 797710-done@bugs.debian.org, 798028-done@bugs.debian.org, 798584-done@bugs.debian.org, 798749-done@bugs.debian.org, 798889-done@bugs.debian.org, 798890-done@bugs.debian.org, 798891-done@bugs.debian.org, 798892-done@bugs.debian.org, 798893-done@bugs.debian.org, 798895-done@bugs.debian.org, 799033-done@bugs.debian.org, 799070-done@bugs.debian.org, 799229-done@bugs.debian.org, 799230-done@bugs.debian.org, 799369-done@bugs.debian.org, 799477-done@bugs.debian.org, 799758-done@bugs.debian.org, 799777-done@bugs.debian.org, 800006-done@bugs.debian.org, 800664-done@bugs.debian.org, 800793-done@bugs.debian.org, 800881-done@bugs.debian.org, 801095-done@bugs.debian.org, 801098-done@bugs.debian.org, 801100-done@bugs.debian.org, 801304-done@bugs.debian.org, 801318-done@bugs.debian.org, 801441-done@bugs.debian.org, 801580-done@bugs.debian.org, 801743-done@bugs.debian.org, 801851-done@bugs.debian.org, 801892-done@bugs.debian.org, 802851-done@bugs.debian.org, 802879-done@bugs.debian.org, 802900-done@bugs.debian.org, 802942-done@bugs.debian.org, 803362-done@bugs.debian.org, 803467-done@bugs.debian.org, 803490-done@bugs.debian.org, 803569-done@bugs.debian.org, 803678-done@bugs.debian.org, 803730-done@bugs.debian.org, 804157-done@bugs.debian.org, 804172-done@bugs.debian.org, 804208-done@bugs.debian.org, 804381-done@bugs.debian.org, 804383-done@bugs.debian.org, 804734-done@bugs.debian.org, 804885-done@bugs.debian.org, 805024-done@bugs.debian.org, 805127-done@bugs.debian.org, 805190-done@bugs.debian.org, 805214-done@bugs.debian.org, 805260-done@bugs.debian.org, 805293-done@bugs.debian.org, 805383-done@bugs.debian.org, 805634-done@bugs.debian.org, 805721-done@bugs.debian.org, 805894-done@bugs.debian.org, 806129-done@bugs.debian.org, 806165-done@bugs.debian.org, 806247-done@bugs.debian.org, 806252-done@bugs.debian.org, 806338-done@bugs.debian.org, 806529-done@bugs.debian.org, 806640-done@bugs.debian.org, 807129-done@bugs.debian.org, 807140-done@bugs.debian.org, 807142-done@bugs.debian.org, 807273-done@bugs.debian.org, 807280-done@bugs.debian.org, 807467-done@bugs.debian.org, 807489-done@bugs.debian.org, 807515-done@bugs.debian.org, 807576-done@bugs.debian.org, 807612-done@bugs.debian.org, 807828-done@bugs.debian.org, 807917-done@bugs.debian.org, 808559-done@bugs.debian.org, 808890-done@bugs.debian.org, 809200-done@bugs.debian.org, 809255-done@bugs.debian.org, 809258-done@bugs.debian.org, 809307-done@bugs.debian.org, 809534-done@bugs.debian.org, 809561-done@bugs.debian.org, 809688-done@bugs.debian.org, 809757-done@bugs.debian.org, 809824-done@bugs.debian.org, 810004-done@bugs.debian.org, 810111-done@bugs.debian.org, 810130-done@bugs.debian.org, 810542-done@bugs.debian.org, 810760-done@bugs.debian.org, 810887-done@bugs.debian.org, 811132-done@bugs.debian.org, 811320-done@bugs.debian.org, 792779-done@bugs.debian.org
- Subject: 8.3 point release cleanup
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 23 Jan 2016 13:57:15 +0000
- Message-id: <1453557435.1835.52.camel@adam-barratt.org.uk>
Version: 8.3 Hi, The updates referred to in these bugs were included in today's 8.3 Jessie point release. Regards, Adam
--- End Message ---