Debian Package Tracker - ruby-faye-websocket

general

source: ruby-faye-websocket (main)
version: 0.10.7-1
maintainer: Debian Ruby Extras Maintainers (archive) (DMD)
uploaders: Utkarsh Gupta [DMD]
arch: all
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 0.10.7-1
testing: 0.10.7-1
unstable: 0.10.7-1

versioned links

0.10.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ruby-faye-websocket

action needed

A new upstream version is available: 0.11.0 high

A new upstream version 0.11.0 is available, you should consider packaging it.

Created: 2020-06-29 Last update: 2020-10-29 18:02

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2020-15133: In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended.

Please fix it.

Created: 2020-08-03 Last update: 2020-08-07 06:08

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2020-15133: In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended.

Please fix it.

Created: 2020-08-03 Last update: 2020-08-07 06:08

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 0.10.7-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit b0d3b8df2224dd638efcc644c0ed8e593910a761
Author: Cédric Boutillier <boutil@debian.org>
Date:   Thu Sep 3 20:18:52 2020 +0000

    [ci skip] Add .gitattributes to keep unwanted files out of the source package

commit 37b056191ab3be9cc5b19439b80529e667813cc7
Author: Cédric Boutillier <boutil@debian.org>
Date:   Tue Sep 1 13:44:49 2020 +0000

    [ci skip] Update team name

commit ff556949d5a073b58369ec4941bc8c7fdbc853c1
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Sun Mar 15 07:36:59 2020 +0000

    Update standards version to 4.4.1, no changes needed.
    
    Fixes: lintian: out-of-date-standards-version
    See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html

commit 729ff115738629fa51f007ed9a21d5ead119c5a8
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Sun Mar 15 07:36:30 2020 +0000

    Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse.
    
    Fixes: lintian: upstream-metadata-file-is-missing
    See-also: https://lintian.debian.org/tags/upstream-metadata-file-is-missing.html

commit 46bb7814a79ccb6e9a3156afa2fb117e530c3d18
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Sun Mar 15 07:35:59 2020 +0000

    Set debhelper-compat version in Build-Depends.
    
    Fixes: lintian: uses-debhelper-compat-file
    See-also: https://lintian.debian.org/tags/uses-debhelper-compat-file.html

commit b05e4bf18c2d26ac78ebb269360e9044aa25f3b6
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Sun Mar 15 07:35:31 2020 +0000

    Bump debhelper from old 11 to 12.
    
    Fixes: lintian: package-uses-old-debhelper-compat-version
    See-also: https://lintian.debian.org/tags/package-uses-old-debhelper-compat-version.html

commit d8ae97c3d77925c846df7c306706857356964fa1
Author: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date:   Tue Aug 13 04:46:21 2019 +0530

    Update d/ch

commit 0c29b774630e7bc930b02f40f8134c22a15e10c4
Author: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date:   Tue Aug 13 04:46:20 2019 +0530

    Add salsa-ci.yml

Created: 2019-08-13 Last update: 2020-10-22 22:08

1 ignored security issue in buster low

There is 1 open security issue in buster.

1 issue skipped by the security teams:

CVE-2020-15133: In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended.

Please fix it.

Created: 2020-08-03 Last update: 2020-08-07 06:08

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 4.3.0).

Created: 2019-07-08 Last update: 2020-01-21 05:06

news

[rss feed]

[2019-02-07] ruby-faye-websocket 0.10.7-1 MIGRATED to testing (Debian testing watch)
[2019-02-04] Accepted ruby-faye-websocket 0.10.7-1 (source all) into unstable, unstable (Utkarsh Gupta) (signed by: Praveen Arimbrathodiyil)

bugs [bug history graph]

all: 1
RC: 1
I&N: 0
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.10.7-1