Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <e1twzgn-009jby...@coccia.debian.org>
and subject line Close 1089568
has caused the Debian Bug report #1089568,
regarding bookworm-pu: package ruby-doorkeeper/5.5.0-2+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1089568: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089568
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
* CVE-2023-34246: Improper Authentication (Closes: #1038950)
diffstat for ruby-doorkeeper-5.5.0 ruby-doorkeeper-5.5.0
changelog | 7 ++
patches/0001-Block-public-clients-automatic-authorization-skip.patch | 31
++++++++++
patches/series | 1
3 files changed, 39 insertions(+)
diff -Nru ruby-doorkeeper-5.5.0/debian/changelog
ruby-doorkeeper-5.5.0/debian/changelog
--- ruby-doorkeeper-5.5.0/debian/changelog 2021-08-27 14:15:52.000000000
+0300
+++ ruby-doorkeeper-5.5.0/debian/changelog 2024-12-08 23:42:11.000000000
+0200
@@ -1,3 +1,10 @@
+ruby-doorkeeper (5.5.0-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2023-34246: Improper Authentication (Closes: #1038950)
+
+ -- Adrian Bunk <b...@debian.org> Sun, 08 Dec 2024 23:42:11 +0200
+
ruby-doorkeeper (5.5.0-2) unstable; urgency=medium
[ Debian Janitor ]
diff -Nru
ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch
ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch
---
ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch
1970-01-01 02:00:00.000000000 +0200
+++
ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch
2024-12-08 23:41:54.000000000 +0200
@@ -0,0 +1,31 @@
+From 992ead90a17e368129bed6750da2f90e9e720e80 Mon Sep 17 00:00:00 2001
+From: Adam Heath <a...@polleverywhere.com>
+Date: Fri, 17 Mar 2023 16:41:30 +0800
+Subject: Block public clients automatic authorization skip
+
+Non-confidential applications should not be able to skip the authorization
stop, even if they have an existing matching_token.
+
+From the [issue](https://github.com/doorkeeper-gem/doorkeeper/issues/1589):
+> According to RFC 8252 section 8.6, the authentication server should
re-prompt for user consent, since the client's identity cannot be assured
simply from the client_id parameter
+
+Fixes https://github.com/doorkeeper-gem/doorkeeper/issues/1589
+---
+ app/controllers/doorkeeper/authorizations_controller.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/app/controllers/doorkeeper/authorizations_controller.rb
b/app/controllers/doorkeeper/authorizations_controller.rb
+index 71dce31c..81445875 100644
+--- a/app/controllers/doorkeeper/authorizations_controller.rb
++++ b/app/controllers/doorkeeper/authorizations_controller.rb
+@@ -23,7 +23,7 @@ module Doorkeeper
+ private
+
+ def render_success
+- if skip_authorization? || matching_token?
++ if skip_authorization? || (matching_token? &&
pre_auth.client.application.confidential?)
+ redirect_or_render authorize_response
+ elsif Doorkeeper.configuration.api_only
+ render json: pre_auth
+--
+2.30.2
+
diff -Nru ruby-doorkeeper-5.5.0/debian/patches/series
ruby-doorkeeper-5.5.0/debian/patches/series
--- ruby-doorkeeper-5.5.0/debian/patches/series 1970-01-01 02:00:00.000000000
+0200
+++ ruby-doorkeeper-5.5.0/debian/patches/series 2024-12-08 23:42:10.000000000
+0200
@@ -0,0 +1 @@
+0001-Block-public-clients-automatic-authorization-skip.patch
--- End Message ---
--- Begin Message ---
Version: 12.9
This update has been released as part of 12.9. Thank you for your contribution.
--- End Message ---
