Debian Package Tracker - ruby-secure-headers

general

source: ruby-secure-headers (main)
version: 6.1.1-1
maintainer: Debian Ruby Extras Maintainers (archive) (DMD)
uploaders: Abhijith PA [DMD]
arch: all
std-ver: 4.4.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 6.0.0-1
testing: 6.1.1-1
unstable: 6.1.1-1

versioned links

6.0.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.1.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ruby-secure-headers

action needed

A new upstream version is available: 6.3.0 high

A new upstream version 6.3.0 is available, you should consider packaging it.

Created: 2020-01-12 Last update: 2020-02-20 04:32

2 security issues in buster high

There are 2 open security issues in buster.

2 important issues:

CVE-2020-5217: In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0.
CVE-2020-5216: In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. This has been fixed in 6.3.0, 5.2.0, and 3.9.0.

Please fix them.

Created: 2020-01-25 Last update: 2020-01-28 19:01

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2020-5217: In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0.
CVE-2020-5216: In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. This has been fixed in 6.3.0, 5.2.0, and 3.9.0.

Please fix them.

Created: 2020-01-25 Last update: 2020-01-28 19:01

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2020-5217: In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0.
CVE-2020-5216: In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. This has been fixed in 6.3.0, 5.2.0, and 3.9.0.

Please fix them.

Created: 2020-01-25 Last update: 2020-01-28 19:01

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 6.1.1-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 9f246cbfb1d4014ca9bc23d3fd5dc10c840d62d8
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Fri Nov 1 10:53:47 2019 +0000

    Remove obsolete fields Name, Contact from debian/upstream/metadata.

commit ea935fa0097e4adf15a7c86b607759cc48c4a457
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Fri Nov 1 10:53:30 2019 +0000

    Set fields Upstream-Contact in debian/copyright.

commit 377e8d32de5be0561f2557aa86157320404bed93
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Fri Nov 1 10:53:12 2019 +0000

    Use secure copyright file specification URI.
    
    Fixes lintian: insecure-copyright-format-uri
    See https://lintian.debian.org/tags/insecure-copyright-format-uri.html for more details.

Created: 2019-12-22 Last update: 2020-02-16 06:34

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 4.4.1).

Created: 2020-01-21 Last update: 2020-01-21 05:06

news

[rss feed]

[2019-10-27] ruby-secure-headers 6.1.1-1 MIGRATED to testing (Debian testing watch)
[2019-10-24] Accepted ruby-secure-headers 6.1.1-1 (source) into unstable (Samyak Jain) (signed by: Praveen Arimbrathodiyil)
[2018-12-29] ruby-secure-headers 6.0.0-1 MIGRATED to testing (Debian testing watch)
[2018-12-27] Accepted ruby-secure-headers 6.0.0-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2018-07-28] ruby-secure-headers 5.0.5-1 MIGRATED to testing (Debian testing watch)
[2018-07-25] Accepted ruby-secure-headers 5.0.5-1 (source) into unstable (Kannan V M) (signed by: Praveen Arimbrathodiyil)
[2017-09-21] ruby-secure-headers 3.7.1-1 MIGRATED to testing (Debian testing watch)
[2017-09-15] Accepted ruby-secure-headers 3.7.1-1 (source) into unstable (Sruthi Chandran) (signed by: Praveen Arimbrathodiyil)
[2017-09-07] ruby-secure-headers 3.5.0-1 MIGRATED to testing (Debian testing watch)
[2017-09-02] Accepted ruby-secure-headers 3.5.0-1 (source all) into unstable, unstable (Abhijith PA) (signed by: Praveen Arimbrathodiyil)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.1.1-1