[DRE-maint] Bug#789311: Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()

Youhei SASAKI uwabami at gfd-dennou.org
Wed Jul 29 08:30:34 UTC 2015


Dear Debian Security Team

I'v created patche in order to fix CVE-2015-3225 for wheezy, jessie.

 #789311 (CVE-2015-3225)

Please consider to update stable version of ruby-rack with attached
debdiff to close those CVE issues.

# BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we
# can't build package without "DH_RUBY_IGNORE_TESTS=all"...

Best Wishes,
Youhei

On Sat, 20 Jun 2015 02:38:32 +0900,
Salvatore Bonaccorso <carnil at debian.org> wrote:
> 
> Source: ruby-rack
> Version: 1.4.1-1
> Severity: important
> Tags: security patch upstream fixed-upstream
> 
> Hi,
> 
> the following vulnerability was published for ruby-rack.
> 
> CVE-2015-3225[0]:
> Potential Denial of Service Vulnerability in Rack normalize_params()
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2015-3225
> 
> Regards,
> Salvatore

---
Youhei SASAKI <uwabami at gfd-dennou.org>
              <uwabami at debian.or.jp>
GPG fingerprint:
  4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby-rack_wheezy.debdiff
Type: application/octet-stream
Size: 4498 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20150729/74d3f12b/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby-rack_jessie.debdiff
Type: application/octet-stream
Size: 4461 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20150729/74d3f12b/attachment-0003.obj>


More information about the Pkg-ruby-extras-maintainers mailing list