Your message dated Sat, 10 Feb 2018 21:03:15 +0000 with message-id <e1ekcil-000c6o...@fasolo.debian.org> and subject line Bug#888523: fixed in ruby-omniauth 1.3.1-1+deb9u1 has caused the Debian Bug report #888523, regarding ruby-omniauth: CVE-2017-18076: security issue in returning post parameters from session in callback phase to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888523: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888523 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-omniauth Version: 1.2.1-1 Severity: important Tags: security upstream fixed-upstream Forwarded: https://github.com/omniauth/omniauth/pull/867 Control: fixed -1 1.6.1-1 For tracking this security issue in ruby-omniauth: > Request phase of omniauth store request.params in session which are > later assigned in env of callback phase. According do docs we should > only store query params but in this case both GET and POST params get > stored. POST params can contain authenticity_token of application to > protect form CSRF issues. We shouldn't leak such tokens from POST > params. https://github.com/omniauth/omniauth/pull/867 [A CVE has been requested] Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-omniauth Source-Version: 1.3.1-1+deb9u1 We believe that the bug you reported is fixed in the latest version of ruby-omniauth, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pirate Praveen <prav...@debian.org> (supplier of updated ruby-omniauth package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 31 Jan 2018 12:37:09 +0530 Source: ruby-omniauth Binary: ruby-omniauth Architecture: source all Version: 1.3.1-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> Changed-By: Pirate Praveen <prav...@debian.org> Description: ruby-omniauth - flexible authentication system utilizing Rack middleware Closes: 888523 Changes: ruby-omniauth (1.3.1-1+deb9u1) stretch-security; urgency=high . * Fix security issue in returning post parameters from session in callback phase (CVE-2017-18076) (Closes: #888523) Checksums-Sha1: 48b2863c9bcf3b3869728e9de6e2ea3d0c910c54 2185 ruby-omniauth_1.3.1-1+deb9u1.dsc b9dc5aefc26f8b032cca44b9979375492a9cd8a8 23759 ruby-omniauth_1.3.1.orig.tar.gz 0c8feedbd1f5aed1ec4f282d7f28eb6ae3cab289 4044 ruby-omniauth_1.3.1-1+deb9u1.debian.tar.xz 6783c72c9d5c3d45a67d246eb2e835a969c8cf7f 16516 ruby-omniauth_1.3.1-1+deb9u1_all.deb e37a3c03e27d62c57e62cea4f4035dfca98a4180 7121 ruby-omniauth_1.3.1-1+deb9u1_amd64.buildinfo Checksums-Sha256: 7ce81369d68a0ed5adc631b2e8c61368cf7817fc175fb2133378f872079b0c9c 2185 ruby-omniauth_1.3.1-1+deb9u1.dsc a5043cd38442600320cfd92672f9985be3dc556f51fef63989f46bc21d69aa9e 23759 ruby-omniauth_1.3.1.orig.tar.gz a33fa6f2ab2ef413d1bfc10509b273b969c5b5617e0cdfbc30a4b5be9a95f2a8 4044 ruby-omniauth_1.3.1-1+deb9u1.debian.tar.xz 0c58b99acebe2cf026377dad32c08888f2bc3b33c3197b9850ec17fe5ae87e67 16516 ruby-omniauth_1.3.1-1+deb9u1_all.deb 8f0ae6e4528b60407fdd0cee1443866b94683210736dd0a27d99526dd4508427 7121 ruby-omniauth_1.3.1-1+deb9u1_amd64.buildinfo Files: 4b741576721cc65a7f561caf30934afb 2185 ruby optional ruby-omniauth_1.3.1-1+deb9u1.dsc 07d67f917782dfca34943971ed32fda3 23759 ruby optional ruby-omniauth_1.3.1.orig.tar.gz 05b0fbd543964432bf2309ac316f355f 4044 ruby optional ruby-omniauth_1.3.1-1+deb9u1.debian.tar.xz e8e592fe69e7f647c473ed54e3eb35d5 16516 ruby optional ruby-omniauth_1.3.1-1+deb9u1_all.deb bc11b3476f190edb51a59ae51970c89f 7121 ruby optional ruby-omniauth_1.3.1-1+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlp76SIACgkQzh+cZ0US wirSow//bmgr3/Gm7R/wC75ehTdnHvaAuhVVOosx3TZxfFAqqdNBr/OoLhgWMBjL UDApITZ4P/O4yQDIEbwrHgr/rPUT312ta+6Xdii17SxGnb/Qnfcq+p/Ow50YE+zV aTs2UVgE/aPQOiorzTgHgju8FLWEYLENJu8iuA55EeDh3bqI75Pnv6i6W7vGMjOV 8Y/9wzx28NkJ/j2MXXO4UJcdHCQEImlmnd1q25kOUo8Bw7ZMqcq/yE7w/6vwFGpg j8n+OIBhVlH9gULBVmBFHwyIqdhIm7d9lmmtte3lFjJEhiUI2axrmrldvjdhrF9/ 7P4V1ef1eBPkuAErkSCmLV+kEjZy+UOpFsLngj/Zi6RPKAR1akBI9ljD6Ud9Ud9A 1EVxG50qSZKsJFFpMwlLE5XmjiIRt8xvADxX43Sdi30HVFsjF7ezxiqe4m7AHYJJ tmo2Y05N2T2ZSk9sTKk5dVMXIABzC7R0S4P6WX9nYwUoZ4A3C1fz3n4z/EB/I1Gl Dhr7s6WlOtDtWZdFyiHiOCofr+IrmYf7VH5hrIRgZ1eVIlNNJ8mOcougL+2fckf2 FwznnE31ra8ba3ERUi3QmFmxCCZbUSPibWr4CuuXzPoOs9OOtmqZFuvXzz8TKlYb uWYlMdAkWAfB4qI69d2c1zFHNrZFnlQ0+FnXCJT3H3vj360oG64= =IkHT -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
