Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829219 (CVE-2021-44528) - <dev-ruby/actionpack-{6.0.4.3,6.1.4.3}: open redirect vulnerability
Summary: <dev-ruby/actionpack-{6.0.4.3,6.1.4.3}: open redirect vulnerability
Status: IN_PROGRESS
Alias: CVE-2021-44528
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-15 00:30 UTC by John Helmert III
Modified: 2022-08-16 19:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-15 00:30:13 UTC 
From URL:

"Impact
------
Specially crafted "X-Forwarded-Host" headers in combination with certain
"allowed host" formats can cause the Host Authorization middleware in Action
Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For
example,
configuration files that look like this:

```
config.hosts <<  '.EXAMPLE.com'
```

When an allowed host contains a leading dot, a specially crafted Host header
can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942."

Please bump to actionpack-6.1.4.2.
Comment 1 Hans de Graaff gentoo-dev Security 2021-12-15 05:42:50 UTC 
This requires rails 6.0.4.3 and 6.1.4.3. The x.4.2 releases were broken. Rails 5.2 is not affected.
Comment 2 Hans de Graaff gentoo-dev Security 2021-12-15 06:17:23 UTC 
Rails 6.0.4.3 and 6.1.4.3 are now available. I'll file a stable bug for actionpack and related dependencies in a few days.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-15 21:25:53 UTC 
Thanks!
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-16 19:56:11 UTC 
Tree seems clean now, this only affects >=actionpack-6.