[DRE-maint] Bug#698440: Bug#698440: ruby-rack: CVE-2012-6109 CVE-2013-0184 CVE-2013-0183

Mon Jan 21 23:36:22 UTC 2013

Hi,

On Sun, Jan 20, 2013 at 6:13 AM, Youhei SASAKI <uwabami at gfd-dennou.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Dear team member:
> (Cc: BTS, security team)
>
> I created cherry-picked patches from upstream, in order to fix these CVE
> issues and commit team git repository. Please review for upload.

Looks good to me.

>
>   Vcs-Git: git://git.debian.org/pkg-ruby-extras/ruby-rack.git
>   Vcs-Browser: http://git.debian.org/?p=pkg-ruby-extras/ruby-rack.git;a=summary
>
> BTW, I don't know these issues affect stable packages,
> librack-ruby{,1.8,1.9.1}, ver. 1.1.0-4.

I seem to need 0003-Reimplement-auth-scheme-fix.patch.
Please consult about this  to security team.

>
> # We have dropped them from SVN repos. Thus we should import them into
> # team Git repos.
>
> P.S. Thanks Moritz!
>
> At 18 Jan 2013 15:55:23 +0100,
> "Moritz Muehlenhoff" <jmm at inutil.org> wrote:
>>
>> Package: ruby-rack
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Please see these links for details:
>> http://seclists.org/oss-sec/2013/q1/80
>> http://seclists.org/oss-sec/2013/q1/83
>>
>
> Best Wishes,
> - ---
> Youhei SASAKI <uwabami at gfd-dennou.org>
>               <uwabami at debian.or.jp>
> GPG fingerprint:
>   4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQIcBAEBCgAGBQJQ+wxnAAoJEJOU81SJHX4HrewP/3goc7fyxCGG4o8ZoECNjV7Z
> zCKE/ya6aRVqvcFEBbSrvo/nh+QZdmMbLb2mu68PV8iEdsa7zYuxH+uGMv5brckN
> ST4dOAyUIfAvTBfusgsIDZaJWkOI/5w5t6Cv3hEr5wbBikvkyee40xCrkDklYoU3
> Y0/rSsjoIf5CUQwZ9XrSVbf5Z/Jy1RY9mXCJOygQXRwztYPbO8hawO2sv73MQM4W
> stTViWues7IgnjAEDPrtYOU3d35bx0MgDwfxcqXr9nDIz6TsnCX34FNiWl9Zw4Lc
> 6sJhUVKpCImTTwaHSRtvg/HWH75L+qLh6W8isscyh2qR3ZfFRmMgjPcm9Y/X56LI
> 0KPUuwuQQkOi6dgyY8jR6fk03Bwh1KpnJWfwUvPYHQX9IF5iRJbsfKuyqrqs2HQC
> Sv5xrp0eedoxs7Jh9hq4MMAwioM6r3/KtYUB0gyc4/6GxiPnLwGJtH3jcphCjju6
> BFyNRVsBc9oS/sH4Npor7Urr7KsMo8SeSmoJLPbqVwPVfbDLgL2LFOr5d3RLXqlU
> efJ2XxtIRqPMkzWoBZlWdKoxp3eQ08AMSeRhgJR+7ZG0+j7biSuM2nhRtF1AhVDp
> rq3mUzfBQi7MEw4cSFoGHIZVXj5SIX8Mlhou1si5OAww8qbPPx36HvNbxBDXoD4l
> EHLfuZ4hvyyg+0DVwtJi
> =u1mW
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Pkg-ruby-extras-maintainers mailing list
> Pkg-ruby-extras-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

Best regards,
  Nobuhiro

-- 
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6