[DRE-commits] [ruby-rack-ssl] 01/01: Fix CVE-2014-2538 for jessie

zeha at debian.org zeha at debian.org
Sun Nov 30 14:36:21 UTC 2014 

This is an automated email from the git hooks/post-receive script.

zeha pushed a commit to branch jessie
in repository ruby-rack-ssl.

commit a0b7ae728b07ad33f324666dd7babb34270ae214
Author: Christian Hofstaedtler <zeha at debian.org>
Date:   Sun Nov 30 15:28:17 2014 +0100

    Fix CVE-2014-2538 for jessie
---
 debian/changelog                                   | 10 ++++++++
 .../patches/0001-Handle-bad-URIs-gracefully.patch  | 27 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 38 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 4220b84..c0f4b9d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+ruby-rack-ssl (1.3.2-4) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch to fix CVE-2014-2538. Our patch is based on
+    upstream 9d7d7300b907e496db68d89d07fbc2e0df0b487b.
+    (Closes: #742186)
+    Thanks to Moritz Muehlenhoff for the pointer.
+
+ -- Christian Hofstaedtler <zeha at debian.org>  Sun, 30 Nov 2014 15:24:17 +0100
+
 ruby-rack-ssl (1.3.2-3) unstable; urgency=medium
 
   * Add myself to Uploaders:
diff --git a/debian/patches/0001-Handle-bad-URIs-gracefully.patch b/debian/patches/0001-Handle-bad-URIs-gracefully.patch
new file mode 100644
index 0000000..06c71da
--- /dev/null
+++ b/debian/patches/0001-Handle-bad-URIs-gracefully.patch
@@ -0,0 +1,27 @@
+From 9d7d7300b907e496db68d89d07fbc2e0df0b487b Mon Sep 17 00:00:00 2001
+From: Xavier Shay <xavier at squareup.com>
+Date: Tue, 9 Jul 2013 08:49:27 -0700
+Subject: [PATCH] Handle bad URIs gracefully.
+
+Some adapters (i.e. jruby-rack) will pass through bad URIs, then display
+the resulting exception. This creates an attack vector for XSS attacks.
+
+[Refreshed for 1.3.x, remove test as 1.3.x has no tests. -zeha at d.o.]
+---
+ lib/rack/ssl.rb  | 2 ++
+ test/test_ssl.rb | 8 ++++++++
+ 2 files changed, 10 insertions(+)
+
+Index: ruby-rack-ssl/lib/rack/ssl.rb
+===================================================================
+--- ruby-rack-ssl.orig/lib/rack/ssl.rb	2014-11-30 15:22:21.088079637 +0100
++++ ruby-rack-ssl/lib/rack/ssl.rb	2014-11-30 15:23:31.800007708 +0100
+@@ -54,6 +54,8 @@ module Rack
+                                         'Location'     => url.to_s)
+ 
+         [301, headers, []]
++      rescue URI::InvalidURIError
++        [404, {}, []]
+       end
+ 
+       # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..d6ad3f7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-Handle-bad-URIs-gracefully.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-rack-ssl.git

More information about the Pkg-ruby-extras-commits mailing list