Your message dated Mon, 04 May 2026 07:19:02 +0000
with message-id <[email protected]>
and subject line Bug#1132583: fixed in ruby-ruby-lsp 0.26.9-0.1
has caused the Debian Bug report #1132583,
regarding ruby-ruby-lsp: CVE-2026-34060
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132583
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-ruby-lsp
Version: 0.26.7-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-ruby-lsp.
CVE-2026-34060[0]:
| Ruby LSP is an implementation of the language server protocol for
| Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version
| 0.26.9, the rubyLsp.branch VS Code workspace setting was
| interpolated without sanitization into a generated Gemfile, allowing
| arbitrary Ruby code execution when a user opens a project containing
| a malicious .vscode/settings.json. This issue has been patched in
| Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-34060
https://www.cve.org/CVERecord?id=CVE-2026-34060
[1] https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-ruby-lsp
Source-Version: 0.26.9-0.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-ruby-lsp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated ruby-ruby-lsp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 May 2026 13:18:57 +0300
Source: ruby-ruby-lsp
Architecture: source
Version: 0.26.9-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1132583
Changes:
ruby-ruby-lsp (0.26.9-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- CVE-2026-34060: Arbitrary code execution through branch setting
(Closes: #1132583)
Checksums-Sha1:
1eba0728aaa78d0b94ffa142f19e5bf979e06424 2128 ruby-ruby-lsp_0.26.9-0.1.dsc
f969a13cb79c17e2c40185ff6dc736f034e78341 16430009
ruby-ruby-lsp_0.26.9.orig.tar.gz
12470cd6396406a07d92c74fb1a451f274bd7f37 2424
ruby-ruby-lsp_0.26.9-0.1.debian.tar.xz
Checksums-Sha256:
9b0a67721b1d8563f82cd0c4a4faa2dca87e11b7e1b18654106d012dca57c529 2128
ruby-ruby-lsp_0.26.9-0.1.dsc
7e7c6091b7cdb7455749dea4a682cc508ef9adb3c6940088aa22b178f9846523 16430009
ruby-ruby-lsp_0.26.9.orig.tar.gz
9c8242006fd47ff111eadffa6c04ab8cd6192652f837b32ac1f83bf7cfd2ead8 2424
ruby-ruby-lsp_0.26.9-0.1.debian.tar.xz
Files:
b6021f1926a4f3722825796cc7eed18c 2128 ruby optional
ruby-ruby-lsp_0.26.9-0.1.dsc
777b1a85bd06944a30b0b285547172ff 16430009 ruby optional
ruby-ruby-lsp_0.26.9.orig.tar.gz
994eef73ad11cf185bde2012e64063a2 2424 ruby optional
ruby-ruby-lsp_0.26.9-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmn10FAACgkQiNJCh6LY
mLGzRA//aVIvP6K/pGPATryivb3M+iTW2wDaAl4KNQeeMM4+Z94NU20JNxIJd9hp
h+Xy5dMsNwzjujBe+EliBJJTEurz6cOD4pEV8Ru58EIyq0uVTonJ+UUbryJsIqzW
hBcAJHlinvtl9+hNvQlsN+xL/C62ZFvQ85jUctcHVp4bHXQuTGqifrxmb/nbThOw
NlGuDBfOO6GAHTPYwYsF6nCe2/OL+gBijbxOc7f3qIV2sSO9/t4AwQPQcB2pCVpd
tMuwKPFBdHVbSDh8khhiOGK6GDcXRsGj3blaQupqar4UUifZZyRD4FRzq+jBwnLy
fOARUYo2Ji/ct4A22NL61P6CvpzTLRF2ONuMRFkd6x2pCZhJ1dPQXCtVesKvCMVt
8j9CN9JTSxrXqNG+r0zP7wxfptzEOeeNxHbvVjFXKPbIZPoZKZGc62hjd8YtVrw5
GON9/oNy1VrLYWwJRZhcRLB0np7vB0HNZyXr88Pyx/sNdjl1/E2UFiqOeMlmybqd
qaRgbjZGxe17VvOn0bfs5A34Qm6aJcvda9qqxHX9fiR7cvjfpVPY1wXgLz2j9ggu
sKBUCd+iX2T/yN/Ofjba3y9i5Q+GRwV9L0eu9n1i2wMhUlp7sDouyqeJFPXScqup
U53+2A72oDz66U8YlVmEO8zNd6TI2gSUc51VdINAH+CezjCDEXk=
=9UEf
-----END PGP SIGNATURE-----
pgp0bGjjAqWmB.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
