143369 2006-08-09 10:54 0000 dev-ruby/rails < 1.1.6 security issue 2006-09-02 14:48:40 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure B1? [glsa] DerCorny P2 major --- 1 vlad@hashbang.de security@gentoo.org fmccor@gentoo.org gentoo-bugzilla@moinmarco.de ruby@gentoo.org vlad@hashbang.de 2006-08-09 10:54:12 0000 A 'mandatory' security patch has been released. Ebuilds should be updated too. More info: http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits dercorny@gentoo.org 2006-08-09 11:09:43 0000 Ruby, please provide fixed ebuilds, thanks. caleb@gentoo.org 2006-08-09 11:37:29 0000 It's in portage as rails-1.1.5 Also affects (and now in portage): actionmailer-1.2.4 actionpack-1.12.4 actionwebservice-1.1.5 activerecord-1.14.4 does NOT affect: activesupport-1.3.1 I suppose we need arches to mark stable sooner than later; I'd like them to test and make sure the install goes okay for everyone (worked fine here). According to the site the differences between 1.1.4 and 1.1.5 are minimal save for the security stuff. I hope that's right. dercorny@gentoo.org 2006-08-09 11:41:14 0000 arches, please test and stable rails-1.1.5, thank you dercorny@gentoo.org 2006-08-09 11:42:12 0000 ... and of course also the other packages as mentioned in comment #2 sorry dertobi123@gentoo.org 2006-08-09 12:52:48 0000 ppc stable thedude0001@gmx.de 2006-08-09 13:35:38 0000 I get a digest failure on actionpack-1.12.4: >>> checking actionpack-1.12.4.gem !!! Digest verification failed: !!! /usr/portage/distfiles/actionpack-1.12.4.gem !!! Reason: Filesize does not match recorded size !!! Got: 530432 !!! Expected: 529920 Other than that this is good to go on amd64. emerge --info Portage 2.1-r1 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-suspend2-r3-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.17-suspend2-r3-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.6.15 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LINGUAS="de" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa arts avi berkdb bitmap-fonts cli crypt cups dlloader dri eds emboss encode foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 imlib ipv6 isdnlog jpeg kde kdeenablefinal lzw lzw-tiff mp3 mpeg ncurses nls nptl opengl pam pcre pdflib perl png pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd tiff truetype-fonts type1-fonts unicode usb userlocales xorg xpm xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux linguas_de userland_GNU video_cards_dummy" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY caleb@gentoo.org 2006-08-09 13:38:32 0000 of course, they changed the .gem after the announcement... argh caleb@gentoo.org 2006-08-09 13:39:47 0000 I recommitted the new digest. I hope mirroring doesn't cause major breakage. tcort@gentoo.org 2006-08-09 13:52:35 0000 amd64 stable. tsunam@gentoo.org 2006-08-09 20:58:43 0000 x86 stable, I didnt' find any rubies..who stole them all ? jaervosz@gentoo.org 2006-08-10 00:36:41 0000 Rerating as I doubt this will be more than a B1. jakub@gentoo.org 2006-08-10 02:18:48 0000 Some real info on the problem (upstream-- for their security by obscurity approach). http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html fmccor@gentoo.org 2006-08-10 05:03:27 0000 All stable on sparc. Notes: 1. sparc tests used lighttpd; 2. script/server (for testing connections from local & remote) generates a lot of annoying 'method redefined' warnings; 3. Test system is running ruby-1.8.4-r3 vlad@hashbang.de 2006-08-10 11:56:39 0000 BTW, 1.1.5 is now obsolete, 1.1.6 has been released today. caleb@gentoo.org 2006-08-10 12:03:36 0000 yeah, but as of now I'm not able to download the gems so I can't do updates in portage yet. caleb@gentoo.org 2006-08-10 13:19:45 0000 ok, gems now available. all have been bumped accordingly, and I left the already stable arches alone since the diff between 1.1.5 and 1.1.6 was basically trivial. so we're waiting on ia64 and the bsd folks. gentoo-bugzilla@moinmarco.de 2006-08-10 17:49:23 0000 http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure says upgrade to 1.1.6 is security related. According to http://www.ruby-forum.com/topic/76671 calling urls such as http://127.0.0.1:3000/builder/blankslate http://127.0.0.1:3000/active_support/dependencies on 1.1.5 will cause all subsequent requests to fail. All of this was not tested by myself so YMMV. jaervosz@gentoo.org 2006-08-10 23:27:29 0000 1.1.6 is the new fixed version. It is already in Portage and stable as per comment #16. caleb@gentoo.org 2006-08-11 03:28:27 0000 I will delete the offending versions from portage sometime today (that's 1.1.0 through 1.1.5) falco@gentoo.org 2006-08-14 08:12:30 0000 GLSA 200608-20 sent