[DRE-commits] [ruby-rack-ssl] 01/01: Fix CVE-2014-2538 for jessie
zeha at debian.org
zeha at debian.org
Sun Nov 30 14:36:21 UTC 2014
This is an automated email from the git hooks/post-receive script.
zeha pushed a commit to branch jessie
in repository ruby-rack-ssl.
commit a0b7ae728b07ad33f324666dd7babb34270ae214
Author: Christian Hofstaedtler <zeha at debian.org>
Date: Sun Nov 30 15:28:17 2014 +0100
Fix CVE-2014-2538 for jessie
---
debian/changelog | 10 ++++++++
.../patches/0001-Handle-bad-URIs-gracefully.patch | 27 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 38 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 4220b84..c0f4b9d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+ruby-rack-ssl (1.3.2-4) unstable; urgency=medium
+
+ * Team upload.
+ * Add patch to fix CVE-2014-2538. Our patch is based on
+ upstream 9d7d7300b907e496db68d89d07fbc2e0df0b487b.
+ (Closes: #742186)
+ Thanks to Moritz Muehlenhoff for the pointer.
+
+ -- Christian Hofstaedtler <zeha at debian.org> Sun, 30 Nov 2014 15:24:17 +0100
+
ruby-rack-ssl (1.3.2-3) unstable; urgency=medium
* Add myself to Uploaders:
diff --git a/debian/patches/0001-Handle-bad-URIs-gracefully.patch b/debian/patches/0001-Handle-bad-URIs-gracefully.patch
new file mode 100644
index 0000000..06c71da
--- /dev/null
+++ b/debian/patches/0001-Handle-bad-URIs-gracefully.patch
@@ -0,0 +1,27 @@
+From 9d7d7300b907e496db68d89d07fbc2e0df0b487b Mon Sep 17 00:00:00 2001
+From: Xavier Shay <xavier at squareup.com>
+Date: Tue, 9 Jul 2013 08:49:27 -0700
+Subject: [PATCH] Handle bad URIs gracefully.
+
+Some adapters (i.e. jruby-rack) will pass through bad URIs, then display
+the resulting exception. This creates an attack vector for XSS attacks.
+
+[Refreshed for 1.3.x, remove test as 1.3.x has no tests. -zeha at d.o.]
+---
+ lib/rack/ssl.rb | 2 ++
+ test/test_ssl.rb | 8 ++++++++
+ 2 files changed, 10 insertions(+)
+
+Index: ruby-rack-ssl/lib/rack/ssl.rb
+===================================================================
+--- ruby-rack-ssl.orig/lib/rack/ssl.rb 2014-11-30 15:22:21.088079637 +0100
++++ ruby-rack-ssl/lib/rack/ssl.rb 2014-11-30 15:23:31.800007708 +0100
+@@ -54,6 +54,8 @@ module Rack
+ 'Location' => url.to_s)
+
+ [301, headers, []]
++ rescue URI::InvalidURIError
++ [404, {}, []]
+ end
+
+ # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..d6ad3f7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-Handle-bad-URIs-gracefully.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-rack-ssl.git
More information about the Pkg-ruby-extras-commits
mailing list