Summary: | <www-servers/puma-{3.12.5-r1,4.3.4-r1}: Multiple vulnerabilities (CVE-2020-{11076,11077}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ajak, ruby |
Priority: | Normal | Flags: | nattka:
sanity-check-
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: |
www-servers/puma-3.12.5-r1
|
Runtime testing required: | --- |
Description
Sam James
2020-05-23 17:26:06 UTC
@maintainer(s), please bump to 4.3.5/3.12.6. (In reply to Sam James from comment #1) > @maintainer(s), please bump to 4.3.5/3.12.6. Have they been released? puma $ git tag -l | grep 3.12 v3.12.0 v3.12.1 v3.12.2 v3.12.3 v3.12.4 v3.12.5 puma $ git tag -l | grep 4.3 v4.3.0 v4.3.1 v4.3.2 v4.3.3 v4.3.4 (In reply to John Helmert III (ajak) from comment #2) > (In reply to Sam James from comment #1) > > @maintainer(s), please bump to 4.3.5/3.12.6. > > Have they been released? They are released on rubygems: https://rubygems.org/gems/puma/ but our ebuilds are based on the tagged versions in github since we want to run the test suite. I'll see if the changes can be backported. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=866b1c92b435b1c6d03ed2e4dfb664a073ad089c commit 866b1c92b435b1c6d03ed2e4dfb664a073ad089c Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2020-07-19 09:29:11 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2020-07-19 09:29:27 +0000 www-servers/puma: backport CVE-2020-11077 fixes Upstream created releases but did not tag them so we cannot use them for our ebuilds. Backport the patches to address the security issue. Bug: https://bugs.gentoo.org/724800 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Hans de Graaff <graaff@gentoo.org> .../puma/files/puma-3.12.5-cve-2020-11077.patch | 114 ++++++++++++++++++++ .../puma/files/puma-4.3.4-cve-2020-11077.patch | 115 +++++++++++++++++++++ www-servers/puma/puma-3.12.5-r1.ebuild | 71 +++++++++++++ www-servers/puma/puma-4.3.4-r1.ebuild | 75 ++++++++++++++ 4 files changed, 375 insertions(+) (In reply to Hans de Graaff from comment #3) > (In reply to John Helmert III (ajak) from comment #2) > > (In reply to Sam James from comment #1) > > > @maintainer(s), please bump to 4.3.5/3.12.6. > > > > Have they been released? > > They are released on rubygems: https://rubygems.org/gems/puma/ but our > ebuilds are based on the tagged versions in github since we want to run the > test suite. I'll see if the changes can be backported. Thank you for doing that. Let us know when it's ready for stabilisation. ping, ready to stable? amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. GLSA vote: no Cleanup done. Unable to check for sanity:
> no match for package: www-servers/puma-3.12.5-r1
(In reply to Hans de Graaff from comment #10) > Cleanup done. Thanks! noglsa, all done. Oops, had to be reverted. :( https://qa-reports.gentoo.org/output/gentoo-ci/e816065322/output.html commit b843f088a13cf821b48c650e46224c2291bb1a87 Author: Thomas Deutschmann <whissi@gentoo.org> Date: Fri Aug 14 01:09:28 2020 +0200 Revert "www-servers/puma: cleanup" This reverts commit cada7bf5534e62ad776c0eccdd82d08219e0483c. Removed www-servers/puma versions are still needed by - dev-ruby/actionpack - dev-ruby/capybara - dev-ruby/patron Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> create mode 100644 www-servers/puma/puma-3.12.4.ebuild create mode 100644 www-servers/puma/puma-3.12.5-r1.ebuild create mode 100644 www-servers/puma/puma-4.3.3.ebuild create mode 100644 www-servers/puma/puma-4.3.4.ebuild Correct cleanup now done. Sorry for the additional noise. (In reply to Hans de Graaff from comment #14) > Correct cleanup now done. Sorry for the additional noise. You maintain a large number of packages, always responsive, and are as quick as you can be with us regularly. The odd mistake doesn't matter at all! All done, thanks! |