From ${URL} : It was reported [1] that when logging is enabled, ... puts passwords to the log file in plaintext. Suggested fix: https://github.com/rest-client/rest-client/issues/352 [1]: https://github.com/rest-client/rest-client/issues/349 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
There is no upstream consensus on how to fix this properly and the logging in question does not occur by default. We'll wait until upstream has a solution for this.
Upstream has released rest-client-1.7.3 which addresses this issue: https://github.com/rest-client/rest-client/issues/349 This version is now in the tree and can be marked stable (with the associated dependencies): =dev-ruby/httpclient-2.5.3.2 =dev-ruby/addressable-2.3.6 =dev-ruby/webmock-1.19.0 =dev-ruby/netrc-0.9.0 =dev-ruby/rest-client-1.7.3
Overlooked one set of required dependencies: =dev-ruby/http_parser_rb-0.6.0 =dev-ruby/http-0.6.3 =dev-ruby/httpclient-2.5.3.2 =dev-ruby/addressable-2.3.6 =dev-ruby/webmock-1.19.0 =dev-ruby/netrc-0.9.0 =dev-ruby/rest-client-1.7.3
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
We cannot remove the old, as app-admin/chef still requires <dev-ruby/rest-client-1.7.
I have just masked app-admin/chef for removal but it will take a bit of time for the actual ebuilds to be removed. I have included the vulnerable version of rest-client in the mask.
GLSA Vote: No
GLSA vote: No
Vulnerable versions have been removed.
CVE-2015-3448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3448): REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log.