--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package ruby-websocket-extensions/0.1.2-1+deb10u1
- From: "Chris Lamb" <lamby@debian.org>
- Date: Thu, 13 May 2021 11:25:35 +0100
- Message-id: <162090147829.2730756.17624457854586101446@tinycat.chris-lamb.co.uk>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: Andreas Beckmann <anbe@debian.org>
Dear stable release managers,
Please consider ruby-websocket-extensions (0.1.2-1+deb10u1) for buster:
ruby-websocket-extensions (0.1.2-1+deb10u1) buster; urgency=medium
.
* CVE-2020-7663: Prevent a denial of service attack that is exploitable
by an exponential-time regular expression backtracking vulnerability.
(Closes: #964274)
This fixes the lack of clean updates from stretch to buster. The full
debdiff is attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
diff --git a/debian/changelog b/debian/changelog
index d887af9..0cff651 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-websocket-extensions (0.1.2-1+deb10u1) buster; urgency=medium
+
+ * CVE-2020-7663: Prevent a denial of service attack that is exploitable
+ by an exponential-time regular expression backtracking vulnerability.
+ (Closes: #964274)
+
+ -- Chris Lamb <lamby@debian.org> Thu, 13 May 2021 11:23:30 +0100
+
ruby-websocket-extensions (0.1.2-1) unstable; urgency=medium
* Initial release (Closes: #816883)
diff --git a/debian/patches/0001-CVE-2020-7663-Prevent-a-denial-of-service-attack-tha.patch b/debian/patches/0001-CVE-2020-7663-Prevent-a-denial-of-service-attack-tha.patch
new file mode 100644
index 0000000..9f7629b
--- /dev/null
+++ b/debian/patches/0001-CVE-2020-7663-Prevent-a-denial-of-service-attack-tha.patch
@@ -0,0 +1,23 @@
+From: Chris Lamb <lamby@debian.org>
+Date: Thu, 13 May 2021 11:22:35 +0100
+Subject: CVE-2020-7663: Prevent a denial of service attack that is
+ exploitable by an exponential-time regular expression backtracking
+ vulnerability. (Closes: #964274)
+
+---
+ lib/websocket/extensions/parser.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/websocket/extensions/parser.rb b/lib/websocket/extensions/parser.rb
+index 06db917..38d1f19 100644
+--- a/lib/websocket/extensions/parser.rb
++++ b/lib/websocket/extensions/parser.rb
+@@ -6,7 +6,7 @@ module WebSocket
+ class Parser
+ TOKEN = /([!#\$%&'\*\+\-\.\^_`\|~0-9a-z]+)/
+ NOTOKEN = /([^!#\$%&'\*\+\-\.\^_`\|~0-9a-z])/
+- QUOTED = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/
++ QUOTED = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/
+ PARAM = %r{#{TOKEN.source}(?:=(?:#{TOKEN.source}|#{QUOTED.source}))?}
+ EXT = %r{#{TOKEN.source}(?: *; *#{PARAM.source})*}
+ EXT_LIST = %r{^#{EXT.source}(?: *, *#{EXT.source})*$}
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..13fb1a6
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-CVE-2020-7663-Prevent-a-denial-of-service-attack-tha.patch
--- End Message ---