Bug#931932: CVE-2019-13574

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#931932: CVE-2019-13574

Moritz Muehlenhoff
Package: ruby-mini-magick
Severity: grave
Tags: security

Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13574

Cheers,
        Moritz

Reply | Threaded
Open this post in threaded view
|

Bug#931932: CVE-2019-13574

Salvatore Bonaccorso-4
Hi,

On Fri, Jul 12, 2019 at 03:58:05PM +0200, Moritz Muehlenhoff wrote:
> Package: ruby-mini-magick
> Severity: grave
> Tags: security
>
> Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13574

FTR, for stretch and buster adressed this in DSA 4481-1.

For sid/bullseye might be sensible to just move to 4.9.4.

Regards,
Salvatore

Reply | Threaded
Open this post in threaded view
|

Bug#931932: fixed in ruby-mini-magick 4.9.2-1+deb10u1

Utkarsh Gupta
In reply to this post by Moritz Muehlenhoff
Hey Salvatore,

On Tue, 16 Jul 2019 21:07:05 +0000 Salvatore Bonaccorso
<[hidden email]> wrote:
> Source: ruby-mini-magick
> Source-Version: 4.9.2-1+deb10u1
>
> We believe that the bug you reported is fixed in the latest version of
> ruby-mini-magick, which is due to be installed in the Debian FTP archive.

Where is the source of this upload?
I can't seem to find any changelog entries :(
Neither any separate branch :(

I am sorry if I am missing anything obvious, but maybe you could help?

> A summary of the changes between this version and the previous one is
> attached.
>
> Thank you for reporting the bug, which will now be closed. If you
> have further comments please address them to [hidden email],
> and the maintainer will reopen the bug report if appropriate.
>
> Debian distribution maintenance software
> pp.
> Salvatore Bonaccorso <[hidden email]> (supplier of updated
ruby-mini-magick package)
>
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing [hidden email])



signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#931932: fixed in ruby-mini-magick 4.9.2-1+deb10u1

Salvatore Bonaccorso-4
Hey!

On Wed, Jul 24, 2019 at 10:43:40AM +0530, Utkarsh Gupta wrote:

> Hey Salvatore,
>
> On Tue, 16 Jul 2019 21:07:05 +0000 Salvatore Bonaccorso
> <[hidden email]> wrote:
> > Source: ruby-mini-magick
> > Source-Version: 4.9.2-1+deb10u1
> >
> > We believe that the bug you reported is fixed in the latest version of
> > ruby-mini-magick, which is due to be installed in the Debian FTP archive.
>
> Where is the source of this upload?
> I can't seem to find any changelog entries :(
> Neither any separate branch :(

Not on salsa. I'm not part of the the ruby team, and apparently the
master branch did already track the experimental upload, so I just did
a traditional NMU. The debdiff to import in the packaging repo is
found at:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931932#23

I would suggest to update to an upstream version which has the fix
then upload later on to unstable. Would be nice to incoorporate the
NMU (as well in changelog) so that BTS correctly tracks the fixed
versions.

Does this help?

Regards,
Salvatore

Reply | Threaded
Open this post in threaded view
|

Bug#931932: fixed in ruby-mini-magick 4.9.2-1+deb10u1

Utkarsh Gupta
Hey,

On 24/07/19 10:53 am, Salvatore Bonaccorso wrote:

> Hey!
>
> On Wed, Jul 24, 2019 at 10:43:40AM +0530, Utkarsh Gupta wrote:
>> Hey Salvatore,
>>
>> On Tue, 16 Jul 2019 21:07:05 +0000 Salvatore Bonaccorso
>> <[hidden email]> wrote:
>>> Source: ruby-mini-magick
>>> Source-Version: 4.9.2-1+deb10u1
>>>
>>> We believe that the bug you reported is fixed in the latest version of
>>> ruby-mini-magick, which is due to be installed in the Debian FTP archive.
>> Where is the source of this upload?
>> I can't seem to find any changelog entries :(
>> Neither any separate branch :(
> Not on salsa. I'm not part of the the ruby team, and apparently the
> master branch did already track the experimental upload, so I just did
> a traditional NMU. The debdiff to import in the packaging repo is
> found at:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931932#23
>
> I would suggest to update to an upstream version which has the fix
> then upload later on to unstable. Would be nice to incoorporate the
> NMU (as well in changelog) so that BTS correctly tracks the fixed
> versions.
>
> Does this help?
Perfecto, thanks! :D


Best,
Utkarsh



signature.asc (849 bytes) Download Attachment