536274 – <dev-ruby/sprockets-{2.1.4,2.2.3,2.11.3,2.12.3}: Multiple directory traversal vulnerabilities (CVE-2014-7819)

Bug 536274 - <dev-ruby/sprockets-{2.1.4,2.2.3,2.11.3,2.12.3}: Multiple directory traversal vulnerabilities (CVE-2014-7819)

Summary: <dev-ruby/sprockets-{2.1.4,2.2.3,2.11.3,2.12.3}: Multiple directory traversal...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-01-11 01:22 UTC by GLSAMaker/CVETool Bot
Modified:	2015-01-11 01:23 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2015-01-11 01:22:05 UTC

CVE-2014-7819 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7819):
  Multiple directory traversal vulnerabilities in server.rb in Sprockets
  before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3,
  2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x
  before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before
  2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed
  with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the
  existence of files outside the application root via a ../ (dot dot slash)
  sequence with (1) double slashes or (2) URL encoding.

Comment 1 Sean Amoss (RETIRED) gentoo-dev

2015-01-11 01:23:08 UTC

Tracking bug for the CVE only. Issue already fixed in tree by maintainers.