Your message dated Sat, 09 May 2020 11:53:52 +0100 with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk> and subject line Closing requests included in 10.4 point release has caused the Debian Bug report #953124, regarding buster-pu: package rake/12.3.1-3+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 953124: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953124 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package rake/12.3.1-3+deb10u1
- From: Utkarsh Gupta <utkarsh@debian.org>
- Date: Thu, 5 Mar 2020 02:31:20 +0530
- Message-id: <CAPP0f964L_o5JMSuZb-cW4b9RbiK6N1WAoz0L8UE2BBhL4c3RA@mail.gmail.com>
Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: pu Tags: buster Severity: normal Hiya, rake seemed to be affected by CVE-2020-8130. This has been fixed in Sid, Bullseye, and Jessie already. I got an ack to upload from the Security Team. Here's the debdiff: 8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------ diff -Nru rake-12.3.1/debian/changelog rake-12.3.1/debian/changelog --- rake-12.3.1/debian/changelog 2018-05-02 19:16:41.000000000 +0530 +++ rake-12.3.1/debian/changelog 2020-02-29 20:40:36.000000000 +0530 @@ -1,3 +1,10 @@ +rake (12.3.1-3+deb10u1) buster; urgency=high + + * Team upload + * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130) + + -- Utkarsh Gupta <utkarsh@debian.org> Sat, 29 Feb 2020 20:40:36 +0530 + rake (12.3.1-3) unstable; urgency=medium * Revert the drop of the ruby dependency. See Debian bug #897279 for related diff -Nru rake-12.3.1/debian/patches/CVE-2020-8130.patch rake-12.3.1/debian/patches/CVE-2020-8130.patch --- rake-12.3.1/debian/patches/CVE-2020-8130.patch 1970-01-01 05:30:00.000000000 +0530 +++ rake-12.3.1/debian/patches/CVE-2020-8130.patch 2020-02-29 20:34:19.000000000 +0530 @@ -0,0 +1,18 @@ +Description: Use File.open explicitly. +Author: Hiroshi SHIBATA <hsbt@ruby-lang.org> +Author: Utkarsh Gupta <utkarsh@debian.org> +Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130 +Last-Update: 2020-02-29 + +--- a/lib/rake/file_list.rb ++++ b/lib/rake/file_list.rb +@@ -294,7 +294,7 @@ + matched = 0 + each do |fn| + begin +- open(fn, "r", *options) do |inf| ++ File.open(fn, "r", *options) do |inf| + count = 0 + inf.each do |line| + count += 1 diff -Nru rake-12.3.1/debian/patches/series rake-12.3.1/debian/patches/series --- rake-12.3.1/debian/patches/series 2018-05-02 19:16:41.000000000 +0530 +++ rake-12.3.1/debian/patches/series 2020-02-29 20:31:31.000000000 +0530 @@ -1,3 +1,4 @@ 0001-test-helper-adapt-to-test-installed-package.patch 0002-rake-testtask-never-include-I-usr-lib-ruby-vendor_ru.patch 0003-gemspec-drop-git-usage.patch +CVE-2020-8130.patch 8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------ Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
- To: 932251-done@bugs.debian.org, 933839-done@bugs.debian.org, 939120-done@bugs.debian.org, 942520-done@bugs.debian.org, 943889-done@bugs.debian.org, 947102-done@bugs.debian.org, 947142-done@bugs.debian.org, 947172-done@bugs.debian.org, 947442-done@bugs.debian.org, 948333-done@bugs.debian.org, 948381-done@bugs.debian.org, 948786-done@bugs.debian.org, 948855-done@bugs.debian.org, 949113-done@bugs.debian.org, 949702-done@bugs.debian.org, 949890-done@bugs.debian.org, 949891-done@bugs.debian.org, 949897-done@bugs.debian.org, 949921-done@bugs.debian.org, 950104-done@bugs.debian.org, 950105-done@bugs.debian.org, 950478-done@bugs.debian.org, 950546-done@bugs.debian.org, 950547-done@bugs.debian.org, 950655-done@bugs.debian.org, 950765-done@bugs.debian.org, 950773-done@bugs.debian.org, 950795-done@bugs.debian.org, 950854-done@bugs.debian.org, 950918-done@bugs.debian.org, 951146-done@bugs.debian.org, 951399-done@bugs.debian.org, 951563-done@bugs.debian.org, 951761-done@bugs.debian.org, 951769-done@bugs.debian.org, 951871-done@bugs.debian.org, 952414-done@bugs.debian.org, 952441-done@bugs.debian.org, 952586-done@bugs.debian.org, 952785-done@bugs.debian.org, 953005-done@bugs.debian.org, 953124-done@bugs.debian.org, 953246-done@bugs.debian.org, 953647-done@bugs.debian.org, 953737-done@bugs.debian.org, 953797-done@bugs.debian.org, 954001-done@bugs.debian.org, 954073-done@bugs.debian.org, 954269-done@bugs.debian.org, 954398-done@bugs.debian.org, 954404-done@bugs.debian.org, 954714-done@bugs.debian.org, 954757-done@bugs.debian.org, 954835-done@bugs.debian.org, 954838-done@bugs.debian.org, 954862-done@bugs.debian.org, 954985-done@bugs.debian.org, 955395-done@bugs.debian.org, 955410-done@bugs.debian.org, 955508-done@bugs.debian.org, 955509-done@bugs.debian.org, 955510-done@bugs.debian.org, 955547-done@bugs.debian.org, 955860-done@bugs.debian.org, 956155-done@bugs.debian.org, 956216-done@bugs.debian.org, 956315-done@bugs.debian.org, 956533-done@bugs.debian.org, 956535-done@bugs.debian.org, 956536-done@bugs.debian.org, 956801-done@bugs.debian.org, 956861-done@bugs.debian.org, 956890-done@bugs.debian.org, 956913-done@bugs.debian.org, 956932-done@bugs.debian.org, 958053-done@bugs.debian.org, 958141-done@bugs.debian.org, 958173-done@bugs.debian.org, 958395-done@bugs.debian.org, 958399-done@bugs.debian.org, 958489-done@bugs.debian.org, 958490-done@bugs.debian.org, 958568-done@bugs.debian.org, 958714-done@bugs.debian.org, 958716-done@bugs.debian.org, 958814-done@bugs.debian.org, 958887-done@bugs.debian.org, 958916-done@bugs.debian.org, 958931-done@bugs.debian.org, 958969-done@bugs.debian.org, 958994-done@bugs.debian.org, 959081-done@bugs.debian.org, 959101-done@bugs.debian.org, 959224-done@bugs.debian.org, 959431-done@bugs.debian.org, 959489-done@bugs.debian.org, 948191-done@bugs.debian.org
- Subject: Closing requests included in 10.4 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 May 2020 11:53:52 +0100
- Message-id: <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.4 Hi, Each of the uploads referred to by these bugs was included in today's stable point release. Regards, Adam
--- End Message ---