Your message dated Fri, 07 Feb 2020 23:19:34 +0000
with message-id <e1j0cum-000bib...@fasolo.debian.org>
and subject line Bug#949870: fixed in ruby-geocoder 1.5.1-3
has caused the Debian Bug report #949870,
regarding ruby-geocoder: CVE-2020-7981
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
949870: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949870
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-geocoder
Version: 1.5.1-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for ruby-geocoder.
CVE-2020-7981[0]:
| sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injection
| when within_bounding_box is used in conjunction with untrusted sw_lat,
| sw_lng, ne_lat, or ne_lng data.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7981
[1]
https://github.com/alexreisner/geocoder/commit/dcdc3d8675411edce3965941a2ca7c441ca48613
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-geocoder
Source-Version: 1.5.1-3
We believe that the bug you reported is fixed in the latest version of
ruby-geocoder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 949...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <utka...@debian.org> (supplier of updated ruby-geocoder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 07 Feb 2020 18:08:53 -0500
Source: ruby-geocoder
Architecture: source
Version: 1.5.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utka...@debian.org>
Closes: 949870
Changes:
ruby-geocoder (1.5.1-3) unstable; urgency=medium
.
* Add patch to fix CVE-2020-7981 (Closes: #949870)
Checksums-Sha1:
88fca63a211d002e34fa2f986a95180554356dd3 2096 ruby-geocoder_1.5.1-3.dsc
5f792e7beed543f6f90ceeff1b760893f549591b 2724
ruby-geocoder_1.5.1-3.debian.tar.xz
1c34d07587d71f2a7b1ceb22a4233f849a4502d2 9245
ruby-geocoder_1.5.1-3_amd64.buildinfo
Checksums-Sha256:
5919a300bbddf9917faed950177ab8953b4bbabad4ca2f7237be545de9be7598 2096
ruby-geocoder_1.5.1-3.dsc
8fb47abc889ce8ef609f9b24aa028002af9fc0bc5d712320cad5c7f121f972bc 2724
ruby-geocoder_1.5.1-3.debian.tar.xz
5630ec5503f223e93490812b282cf27c4ca370fa4b30015ef2f70f0635ef65d6 9245
ruby-geocoder_1.5.1-3_amd64.buildinfo
Files:
010efcddd44c5457622710ad80f71a2e 2096 ruby optional ruby-geocoder_1.5.1-3.dsc
b4147b3a2e4368f1c4e5f0425ce3a958 2724 ruby optional
ruby-geocoder_1.5.1-3.debian.tar.xz
9f3b62c91d5f74fdb3361783cd974cd6 9245 ruby optional
ruby-geocoder_1.5.1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl497kATHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLltFpD/sH/TB9c0bS0L+CAZyzOtCng5ngRifA
FHIx8cRJGKOCmSJnSuqXA/4rCl38jklpVbXT2/7wet6YAOAdgyVKPlMy9qIu9QZZ
KTAWF+1c+C+Aai52e4/A3AOvuUmBxzmU1RilMPfs3Y80kKrI5zan/J/HSfQEdfkg
CA2pp7AWmwoftGgIW4t7h5vGof5psKYNesOetP5cjliheroLCWGd8uEnTkGBYNgk
yJMxTJIfs/NZ5V1FHXdE/Ccj7BfTqzIcVFdpZQlOpArZlugyg/6PYIq8u2XgTkB0
9Nbwtdi12Ru8jEvFmZTBeYsYkce/zq1M4rG0Oh/iTC+5CQ1Uw7XUUCoRoNkJetQZ
BcU17RQqrIsl2rWrNIbWsDrJ9QoglQH83/wAO1UaegSbQra9sQj3ue/Uz2UxT6nj
3AkJc0uLjUpDOyZZQ8/aJBUHfykqXDeXXW1eYSi+edOZ+XWWacqowzYP+3Qzq9jp
wvSx+iqnH1tlRINj/kih4VadUizvW7lBIOsenNQXTovIbAuJg0EwjYUkjrzajXT5
cjeiWrAAchXjI4CcPljHWv52GBBQf2KsRuB2R/t9K1mVU/ozweXmpiUilDsMbldP
2vtf/pWj18oE2qoh++HqzGojy47w07DJmteNX7aVwK+gS9ONZ/mlto8Q3CJqe92+
mJfZ8IpvWwjkEg==
=PZOK
-----END PGP SIGNATURE-----
--- End Message ---
