CVE-2022-45442: Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue. Please bump to 2.2.3 and 3.0.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ceb938c24ffb8a569b4ce0c42849d3f255fb296e commit ceb938c24ffb8a569b4ce0c42849d3f255fb296e Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2022-12-03 11:01:22 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2022-12-03 11:03:57 +0000 dev-ruby/sinatra: add 2.2.3, 3.0.4 Bug: https://bugs.gentoo.org/883679 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-ruby/sinatra/Manifest | 2 ++ dev-ruby/sinatra/sinatra-2.2.3.ebuild | 34 ++++++++++++++++++++++++++++++++++ dev-ruby/sinatra/sinatra-3.0.4.ebuild | 34 ++++++++++++++++++++++++++++++++++ 3 files changed, 70 insertions(+)
Please stabilize when ready.
No GLSA, seems a bit esoteric to exploit and seemingly low impact anyway. Please cleanup.
