Re: Stretch 9.2 announcement: dead link for ruby-rack-cors DSA

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, debian-www@lists.debian.org, team@security.debian.org
Subject: Re: Stretch 9.2 announcement: dead link for ruby-rack-cors DSA
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Wed, 11 Oct 2017 22:39:05 +0200
Message-id: <[🔎] 20171011203905.3mhfdsdi4hel6ef4@pisco.westfalen.local>
In-reply-to: <[🔎] 20171011202932.qv2evw4namxs2ybc@eldamar.local>
References: <[🔎] 20171011220844.7f1a9217208fb8d85421641e@wansing-online.de> <[🔎] 1507752908.18586.115.camel@adam-barratt.org.uk> <[🔎] 20171011202932.qv2evw4namxs2ybc@eldamar.local>

On Wed, Oct 11, 2017 at 10:29:32PM +0200, Salvatore Bonaccorso wrote:
> Hi Adam,
> 
> On Wed, Oct 11, 2017 at 09:15:08PM +0100, Adam D. Barratt wrote:
> > On Wed, 2017-10-11 at 22:08 +0200, Holger Wansing wrote:
> > > at https://www.debian.org/News/2017/20171007 the DSA link for ruby-
> > > rack-cors
> > > is dead:
> > > 
> > > https://www.debian.org/security/2017/dsa-3931
> > > 
> > > There is no such DSA.
> > > And also no such announcement on https://lists.debian.org/debian-secu
> > > rity-announce/
> > > 
> > 
> > It's in DSA/list in the secure-testing repository:
> > 
> > [10 Aug 2017] DSA-3931-1 ruby-rack-cors - security update
> >         {CVE-2017-11173}
> >         [stretch] - ruby-rack-cors 0.4.0-1+deb9u1
> > 
> > which is where the stable tools got the information from to begin with.
> > 
> > The package is also in http://security.debian.org/debian-security/pool/
> > updates/main/r/ruby-rack-cors/
> > 
> > So it looks like the announcement went missing somehow. team@security
> > CCed for comment.
> 
> Indeed, it looks that the announcement at least never arived in d-s-a.
> 
> I wonder if after two monts now it makes still sense to send the
> advisory or at least just import the text for the website.

That's the DSA text, no idea why it got lost. Surely doesn't make sense to
re-send it two months later:

Cheers,
        Moritz

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3931-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 10, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-rack-cors
CVE ID         : CVE-2017-11173

Jens Mueller discovered that an incorrect regular expression in rack-cors
may lead to insufficient restriction of CORS requests.

For the stable distribution (stretch), this problem has been fixed in
version 0.4.0-1+deb9u1.

We recommend that you upgrade your ruby-rack-cors packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Reply to:

Follow-Ups:
- Re: Stretch 9.2 announcement: dead link for ruby-rack-cors DSA
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Stretch 9.2 announcement: dead link for ruby-rack-cors DSA
  - From: Holger Wansing <linux@wansing-online.de>
- Re: Stretch 9.2 announcement: dead link for ruby-rack-cors DSA
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Stretch 9.2 announcement: dead link for ruby-rack-cors DSA
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Problem with WiFi
Next by Date: Re: Stretch 9.2 announcement: dead link for ruby-rack-cors DSA
Previous by thread: Re: Stretch 9.2 announcement: dead link for ruby-rack-cors DSA
Next by thread: Re: Stretch 9.2 announcement: dead link for ruby-rack-cors DSA
Index(es):
- Date
- Thread