Your message dated Sat, 02 Dec 2017 19:32:57 +0000 with message-id <e1eldwz-000cw1...@fasolo.debian.org> and subject line Bug#881445: fixed in ruby-ox 2.1.1-2+deb8u1 has caused the Debian Bug report #881445, regarding ruby-ox: CVE-2017-15928: Segmentation fault in the parse_obj to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 881445: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-ox Version: 2.1.1-2 Severity: grave Tags: security upstream Forwarded: https://github.com/ohler55/ox/issues/194 Hi, the following vulnerability was published for ruby-ox. Rationale for RC severity: think the issue warrants to be adressed for the next stable release. The issue itself possibly though does not warrant a DSA on it's own for stretch and jessie. CVE-2017-15928[0]: | In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation | fault when a crafted input is supplied to parse_obj. NOTE: the vendor | has stated "Ox should handle the error more gracefully" but has not | confirmed a security implication. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-15928 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15928 [1] https://github.com/ohler55/ox/issues/194 [2] https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-ox Source-Version: 2.1.1-2+deb8u1 We believe that the bug you reported is fixed in the latest version of ruby-ox, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 881...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Cédric Boutillier <bou...@debian.org> (supplier of updated ruby-ox package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 26 Nov 2017 01:08:40 +0100 Source: ruby-ox Binary: ruby-ox Architecture: source amd64 Version: 2.1.1-2+deb8u1 Distribution: jessie Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Cédric Boutillier <bou...@debian.org> Description: ruby-ox - fast XML parser and object serializer Closes: 881445 Changes: ruby-ox (2.1.1-2+deb8u1) jessie; urgency=medium . * Team upload * Add fix_parse_obj_segfault.patch picked from upstream + fix CVE-2017-15928: segmentation fault in parse_obj (Closes: #881445) Checksums-Sha1: 689ff33eb1f5485774eefdbf9930a93df132fb16 1659 ruby-ox_2.1.1-2+deb8u1.dsc 4082055278bcf1a2fa4b8bde816f52c8e2c077e9 3736 ruby-ox_2.1.1-2+deb8u1.debian.tar.xz 188d0b58c38cc422ab890c50bd86d00f7fd05f30 59778 ruby-ox_2.1.1-2+deb8u1_amd64.deb Checksums-Sha256: 45f23871fa7988540e4c3effa94c8f077d0bb7b37399080cbb1fc13c13b6f944 1659 ruby-ox_2.1.1-2+deb8u1.dsc bdf3afbd10f5108d445baf98650b72a1e8c3f88fe0c700d2f7f8ddcc6aef69e7 3736 ruby-ox_2.1.1-2+deb8u1.debian.tar.xz c7b565af9aa68d02523d1b1b20da198f28d7174b1ed8e9dcad677aae6f68d61c 59778 ruby-ox_2.1.1-2+deb8u1_amd64.deb Files: 50074fae854a1fdb952f9eeb2077b589 1659 ruby optional ruby-ox_2.1.1-2+deb8u1.dsc 1a1318bea53c33253424ba983755d0ed 3736 ruby optional ruby-ox_2.1.1-2+deb8u1.debian.tar.xz fc54a094ed257f05a2f33aafefbed9d1 59778 ruby optional ruby-ox_2.1.1-2+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEnM1rMZ2/jkCrGr0aia+CtznNIXoFAlobSL0ACgkQia+CtznN IXrP+Qf/au3X2EtwJGj1euVjOqUWkdUbEvjYQsBpU0IKx/S4ONekqeAVHaVtaxUF PebG3/ymfQ6zRpRqP5fMYFej0qR0EVi74+quQ5GWQO2lCTlVWrZcIv4LNkg5DPIM DB7nCwrGSLfrm/hSPIdzZb3vX4wDNfTQ/ZaA1V4+xVL2iixNXqasA6LF8PQfFUfj BI7AcwtixqWpj8UmyZY//jZwFvEEOKTsPvpG4yUQt/G8HDeya97OgDAKGpuQW104 vsy27q50IBP7+QO6A6lKZJY/DKQWL8iR+2bWJHeCeRmJS5fxnoIlJsKzJjrsJ96g MQS08yQmDfUcX4G6GCb1pt+D+ZPYtQ== =eqyS -----END PGP SIGNATURE-----
--- End Message ---
