A vulnerability has been reported in Mongrel, which can be exploited by malicious people to disclose sensitive information. The vulnerability is caused due to an error within the "DirHandler" class in lib/mongrel/handlers.rb. This can be exploited to download arbitrary files by using the "/.%252e" directory traversal sequence. The vulnerability is reported in version 1.0.4 and in 1.1.x versions prior to 1.1.3. Solution: Update to version 1.0.5 or 1.1.3. Reproducible: Always
maintainers - please provide an updated ebuild
1.1.3 is now in the tree
Thanks! Arches, please test and mark stable www-servers/mongrel-1.1.3. Target keywords : "amd64 ppc ppc64 sparc x86"
ppc64 done
x86 stable
ppc stable
sparc stable
no tree available, but 1.1.3 has been tested on multiple amd64 servers. anyone feel free to keyword it for me(welp) There might be some deps that need to go stable, but do to the nature of my setup I cannot say for certain.
amd64 stable. Thanks Mike.
This one is ready for GLSA vote. I tend to vote NO.
voting no too, and closing.