Debian Package Tracker
Register | Log in
Subscribe

ruby-carrierwave

Ruby file upload library

Choose email to subscribe with

general
  • source: ruby-carrierwave (main)
  • version: 1.3.2-2
  • maintainer: Debian Ruby Extras Maintainers (archive) (DMD)
  • uploaders: Pirate Praveen [DMD]
  • arch: all
  • std-ver: 4.5.1
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 0.10.0+gh-4
  • o-o-bpo: 1.3.1-1~bpo9+1
  • oldstable: 1.3.1-2
  • unstable: 1.3.2-2
  • exp: 2.2.2-1
versioned links
  • 0.10.0+gh-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.3.1-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.3.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.3.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.2.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • ruby-carrierwave
action needed
A new upstream version is available: 2.2.2 high
A new upstream version 2.2.2 is available, you should consider packaging it.
Created: 2020-06-29 Last update: 2022-05-17 09:34
1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:
  • CVE-2021-21305: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.
Created: 2021-02-19 Last update: 2022-04-04 19:05
1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:
  • CVE-2021-21305: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.
Created: 2021-08-16 Last update: 2021-12-06 15:06
2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:
  • CVE-2021-21288: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This is fixed in versions 1.3.2 and 2.1.1.
  • CVE-2021-21305: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.
Created: 2021-02-19 Last update: 2021-04-13 12:00
The package has not entered testing even though the delay is over normal
The package has not entered testing even though the 5-day delay is over. Check why.
Created: 2022-04-04 Last update: 2022-05-17 11:35
1 new commit since last upload, is it time to release? normal
vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:
commit d930c34528849b8789a48c521b818397e59c8683
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Thu Sep 9 12:00:42 2021 +0000

    Remove constraints unnecessary since buster
    
    * Build-Depends: Drop versioned constraint on rails, ruby-activerecord, ruby-activesupport, ruby-fog-google, ruby-generator-spec, ruby-mini-magick, ruby-mini-mime and ruby-rspec.
    * ruby-carrierwave: Drop versioned constraint on ruby-activemodel, ruby-activesupport and ruby-mini-mime in Depends.
    
    Changes-By: deb-scrub-obsolete
Created: 2021-09-24 Last update: 2022-05-12 21:10
lintian reports 1 warning normal
Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.
Created: 2021-09-06 Last update: 2021-09-06 18:35
2 low-priority security issues in buster low

There are 2 open security issues in buster.

2 issues left for the package maintainer to handle:
  • CVE-2021-21288: (needs triaging) CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This is fixed in versions 1.3.2 and 2.1.1.
  • CVE-2021-21305: (needs triaging) CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2022-04-04 19:05
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.5.1).
Created: 2021-08-18 Last update: 2022-05-11 23:24
testing migrations
  • excuses:
    • Migration status: Blocked. Can't migrate due to a non-migratable dependency. Check status below.
    • Blocked by: ruby-fog-google
    • Migration status for ruby-carrierwave (- to 1.3.2-2): BLOCKED: Cannot migrate due to another item, which is blocked (please check which dependencies are stuck)
    • Issues preventing migration:
    • ∙ ∙ Build-Depends(-Arch): ruby-carrierwave ruby-fog-google (not considered)
    • ∙ ∙ Invalidated by build-dependency
    • Additional info:
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/r/ruby-carrierwave.html
    • ∙ ∙ autopkgtest for ruby-carrierwave/1.3.2-2: amd64: No test results, arm64: No test results, armhf: No test results, i386: No test results, ppc64el: No test results, s390x: No test results
    • ∙ ∙ 338 days old (needed 5 days)
    • Not considered
news
[rss feed]
  • [2022-04-05] ruby-carrierwave REMOVED from testing (Debian testing watch)
  • [2021-08-16] ruby-carrierwave 1.3.2-2 MIGRATED to testing (Debian testing watch)
  • [2021-06-13] Accepted ruby-carrierwave 2.2.2-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-06-13] Accepted ruby-carrierwave 1.3.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-06-13] Accepted ruby-carrierwave 1.3.2-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-04-16] ruby-carrierwave REMOVED from testing (Debian testing watch)
  • [2020-02-04] Accepted ruby-carrierwave 2.0.2-1 (source) into experimental (Sruthi Chandran)
  • [2019-04-01] ruby-carrierwave 1.3.1-2 MIGRATED to testing (Debian testing watch)
  • [2019-03-24] Accepted ruby-carrierwave 1.3.1-2 (source) into unstable (Utkarsh Gupta) (signed by: Praveen Arimbrathodiyil)
  • [2019-02-23] Accepted ruby-carrierwave 1.3.1-1~bpo9+1 (source all) into stretch-backports (Pirate Praveen) (signed by: Abhijith PA)
  • [2019-02-01] Accepted ruby-carrierwave 1.2.3-1~bpo9+1 (source all) into stretch-backports (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2019-01-31] ruby-carrierwave 1.3.1-1 MIGRATED to testing (Debian testing watch)
  • [2019-01-29] Accepted ruby-carrierwave 1.3.1-1 (source all) into unstable (suman) (signed by: Abhijith PA)
  • [2018-08-30] ruby-carrierwave 1.2.3-1 MIGRATED to testing (Debian testing watch)
  • [2018-08-28] Accepted ruby-carrierwave 1.2.3-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2018-08-15] ruby-carrierwave 1.2.2-1 MIGRATED to testing (Debian testing watch)
  • [2018-08-14] ruby-carrierwave REMOVED from testing (Debian testing watch)
  • [2018-06-17] Accepted ruby-carrierwave 1.2.2-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2018-03-20] ruby-carrierwave 1.2.2-1 MIGRATED to testing (Debian testing watch)
  • [2018-03-15] Accepted ruby-carrierwave 1.2.2-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2018-03-05] ruby-carrierwave 1.1.0-3 MIGRATED to testing (Debian testing watch)
  • [2018-02-27] Accepted ruby-carrierwave 1.1.0-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2018-02-23] Accepted ruby-carrierwave 1.1.0-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2017-07-24] Accepted ruby-carrierwave 1.1.0-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2016-12-01] ruby-carrierwave 0.10.0+gh-4 MIGRATED to testing (Debian testing watch)
  • [2016-11-28] Accepted ruby-carrierwave 0.10.0+gh-4 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2016-11-15] ruby-carrierwave 0.10.0+gh-3 MIGRATED to testing (Debian testing watch)
  • [2016-11-09] Accepted ruby-carrierwave 0.10.0+gh-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2016-08-26] Accepted ruby-carrierwave 0.11.2-1 (source) into experimental (Sruthi Chandran) (signed by: Praveen Arimbrathodiyil)
  • [2016-02-10] ruby-carrierwave 0.10.0+gh-2 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 1
  • RC: 0
  • I&N: 1
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 1)
  • buildd: logs, exp, clang
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.3.2-2

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing