CVE-2015-9284: The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account. There is an unmerged PR at $URL.
Given the long discussion and history on that bug I think it is best if we wait for a new upstream version for this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6e7418ac708d533403b7fbf70b87c9502bcc3be commit b6e7418ac708d533403b7fbf70b87c9502bcc3be Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2021-07-07 07:40:12 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2021-07-07 07:40:12 +0000 profiles/package.mask: mask vulnerable omniauth slot Bug: https://bugs.gentoo.org/761960 Signed-off-by: Hans de Graaff <graaff@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89bcc98ce7ba0cfe3de2910a9aa12c3f0847db94 commit 89bcc98ce7ba0cfe3de2910a9aa12c3f0847db94 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2021-07-07 07:36:31 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2021-07-07 07:37:35 +0000 dev-ruby/omniauth: add 2.0.4 Bug: https://bugs.gentoo.org/761960 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-ruby/omniauth/Manifest | 1 + dev-ruby/omniauth/omniauth-2.0.4.ebuild | 46 +++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+)
Thanks!
Package list is empty or all packages have requested keywords.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5424f4f5575040dab0ffa3f1d01148555faa5117 commit 5424f4f5575040dab0ffa3f1d01148555faa5117 Author: Jakov Smolic <jakov.smolic@sartura.hr> AuthorDate: 2021-08-19 11:14:11 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2021-08-19 11:14:11 +0000 dev-ruby/omniauth: Remove last-rited version Bug: https://bugs.gentoo.org/761960 Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Signed-off-by: David Seifert <soap@gentoo.org> dev-ruby/omniauth/Manifest | 1 - dev-ruby/omniauth/omniauth-1.9.1.ebuild | 45 --------------------------------- profiles/package.mask | 5 ---- 3 files changed, 51 deletions(-)
All done, thanks!