Your message dated Mon, 20 Jan 2020 15:58:17 +0000 with message-id <e1itzrr-0004js...@fasolo.debian.org> and subject line Bug#940905: fixed in rexical 1.0.7-1 has caused the Debian Bug report #940905, regarding rexical: CVE-2019-5477 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 940905: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940905 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: rexical Version: 1.0.5-2 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for rexical. CVE-2019-5477[0]: | A command injection vulnerability in Nokogiri v1.10.3 and earlier | allows commands to be executed in a subprocess via Ruby's | `Kernel.open` method. Processes are vulnerable only if the | undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being | called with unsafe user input as the filename. This vulnerability | appears in code generated by the Rexical gem versions v1.0.6 and | earlier. Rexical is used by Nokogiri to generate lexical scanner code | for parsing CSS queries. The underlying vulnerability was addressed in | Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in | Nokogiri v1.10.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-5477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: rexical Source-Version: 1.0.7-1 We believe that the bug you reported is fixed in the latest version of rexical, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 940...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Cédric Boutillier <bou...@debian.org> (supplier of updated rexical package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 20 Jan 2020 15:27:02 +0100 Source: rexical Architecture: source Version: 1.0.7-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Cédric Boutillier <bou...@debian.org> Closes: 940905 Changes: rexical (1.0.7-1) unstable; urgency=medium . [ Utkarsh Gupta ] * Add salsa-ci.yml . [ Cédric Boutillier ] * New upstream version 1.0.7 + CVE-2019-5477: prefer File.open to Kernel.open to avoid command injection vulnerability (Closes: #940905) * Use https:// in Vcs-* fields * Run wrap-and-sort on packaging files * Use secure copyright file specification URI. * Bump debhelper from old 9 to 12. * Set debhelper-compat version in Build-Depends. * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse. * Add rubocop_out.patch to not run rubocop during tests Checksums-Sha1: ef4700251b907190bf2d1f899c8f492bc3b74a99 1669 rexical_1.0.7-1.dsc 9925974812a30a36e15ba769d9b1b7f91bc42abf 17852 rexical_1.0.7.orig.tar.gz df302ac3bd6143e6517391f25ee06c2cdcf5f496 5840 rexical_1.0.7-1.debian.tar.xz 352f3fead392841b91d16f936695c9d7b0cce43c 13641 rexical_1.0.7-1_source.buildinfo Checksums-Sha256: e10170a2b928f1525d8c1ca88117add7197e25e71f8dc1d76d855b94672e150e 1669 rexical_1.0.7-1.dsc 940e65d383d521ecf6e2a01848d1194d320d872bf61ec59912106ed56c9789cf 17852 rexical_1.0.7.orig.tar.gz cd60b8dc50c76237b18ad0db7e6a7ecfcb4a7f5975634b075eb4509661646453 5840 rexical_1.0.7-1.debian.tar.xz 2ba301b9490b86d04e2f41baddca8ea4c3fac202d0faa37795cab40df4fa93cd 13641 rexical_1.0.7-1_source.buildinfo Files: b171b575faa07cb4175f4a006d5d429e 1669 ruby optional rexical_1.0.7-1.dsc 5d2f25170b5d3c9a0f60e86ac4953ef8 17852 ruby optional rexical_1.0.7.orig.tar.gz c9680e4d1a9a5d95c81408e8dc9f3daa 5840 ruby optional rexical_1.0.7-1.debian.tar.xz 935ae8b46e55511c493dc8f6c811e8c7 13641 ruby optional rexical_1.0.7-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEnM1rMZ2/jkCrGr0aia+CtznNIXoFAl4lybgACgkQia+CtznN IXoYpgf/f3asm2NubNT9iYi/wglrst8kIefnHv3m2gynIazSZq9Wk+xTnrB245vQ xAmw5jyjDJJG+DdUiGGTzqN9VIOg7hZw9yCp3ec0Trrt49QDUOIGqQyoxw8KEkJL Z4BZmkX0+IasNlPCVHwbahQ+CSysQxJvFCmaioVa1wB/4obfOIFCrx2sLPYrNTUl m7sSK1xoEvYtED9WUQw78y6i3dCe+gL/4T9j7d7yTp45JKZGIXJt5+f79ZDf93FB 00YQWQsOcxd5nsGNi/V0Ol4s8wCfkpbe5XUOe3fvvv/hgvP7vldZqPzLzqSszGJX ElOYFI0jXHxS8aQb473FnHLYZlZRCA== =jVCK -----END PGP SIGNATURE-----
--- End Message ---
