group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1669894] Re: Security - CVE-2017-5946

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Mon, 13 Mar 2017 16:02:49 -0000
Reply-to: Bug 1669894 <1669894@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hello again, Phillip. I made a mistake while triaging this bug last week
because I mistakenly thought that ruby-zip was in main. It turns out
that ruby-zip is in universe and, therefore, it is community supported.
If you are able, I suggest coordinating with upstream and posting a
debdiff for this issue. When a debdiff is available, members of the
security team will review it and publish the package. See the following
link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

I'm in the process of syncing the Debian security update for libzip-ruby
in 12.04 and for ruby-zip in Zesty (soon to be 17.04). There are no
syncs available for 16.04 or 16.10 so it'd be much appreciated if you
could provide debdiffs for those releases.

** Changed in: libzip-ruby (Ubuntu)
       Status: New => In Progress

** Also affects: libzip-ruby (Ubuntu Zesty)
   Importance: Undecided
       Status: In Progress

** Also affects: ruby-zip (Ubuntu Zesty)
   Importance: Undecided
       Status: Triaged

** Also affects: libzip-ruby (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: ruby-zip (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: libzip-ruby (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: ruby-zip (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** No longer affects: libzip-ruby (Ubuntu Zesty)

** No longer affects: libzip-ruby (Ubuntu Yakkety)

** No longer affects: libzip-ruby (Ubuntu Xenial)

** Changed in: ruby-zip (Ubuntu Zesty)
       Status: Triaged => In Progress

** Changed in: ruby-zip (Ubuntu Yakkety)
       Status: New => Incomplete

** Changed in: ruby-zip (Ubuntu Xenial)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1669894

Title:
  Security - CVE-2017-5946

Status in libzip-ruby package in Ubuntu:
  In Progress
Status in ruby-zip package in Ubuntu:
  In Progress
Status in ruby-zip source package in Xenial:
  Incomplete
Status in ruby-zip source package in Yakkety:
  Incomplete
Status in ruby-zip source package in Zesty:
  In Progress

Bug description:
  This version of rubyzip is vulnerable to directory traversal attacks.
  Please see CVE-2017-5946.

  It needs to be upgraded to version 1.2.1. It is currently on version
  1.1.7.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libzip-ruby/+bug/1669894/+subscriptions