Summary: | dev-ruby/rails < 1.2.6 Session fixation vulnerability (CVE-2007-6077) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ruby |
Priority: | High | Keywords: | SECURITY |
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6077 | ||
Whiteboard: | B3 [glsa errata] rbu | ||
Package list: | Runtime testing required: | --- |
Description
Hans de Graaff
2007-11-24 08:49:25 UTC
I have ebuilds pending for rails 1.2.6 but am currently waiting for them to show up on the ruby gem mirrors. They should be available later today. Thanks for the report. Please ping us when the ebuilds are ready or add the arches if you think it's ready for stabling. The new ebuilds have been added to the tree. My suggestion would be to wait until tomorrow before asking them to be stabled, so that we may be able to pick up any regressions in this release. @arches, please stabilize dev-ruby/rails-1.2.6 and its dependencies. It only contains the security fix and a fix for a regression in rails 1.2.5, and my initial testing has shown no regressions. The packages need to be stabilized in the following order to account for dependencies: dev-ruby/activerecord-1.15.6 dev-ruby/actionpack-1.13.6 dev-ruby/actionmailer-1.3.6 dev-ruby/actionwebservice-1.2.6 dev-ruby/rails-1.2.6 @ppc64: you don't have rails itself keyworded, but most of its dependencies are keyworded, and the actual fixes are in the dependencies, so stabilize those packages you have keyworded. x86 stable ppc stable OK, I keyworded the deps for ppc64. I need a decent way to test rails before I can mark it ~ppc64. When I runu rake it pukes with errors. If someone can describe a decent rake test that is known to be reliable, even outside portage, I can test and keyword. ia64/sparc stable (In reply to comment #7) > OK, I keyworded the deps for ppc64. I need a decent way to test rails before I > can mark it ~ppc64. When I runu rake it pukes with errors. If someone can > describe a decent rake test that is known to be reliable, even outside portage, > I can test and keyword. > marked it ~ppc64. (they have good tutorials!) Adding back ppc64: it looks like you forgot to mark dev-ruby/activesupport-1.4.4 stable. This dependency is not listed on the bug because no new version was introduced and other arches already had it marked stable. I'm currently removing the vulnerable versions of rails which means that I'll have to drop your currently stable version 1.4.2. Doing so because the current version of rails won't install for anyone without package.keywords magic anyway. dev-ruby/activesupport-1.4.4 stable on ppc64 amd64 stable Setting B3, ready for GLSA decision. CVE-2007-6077: The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. We handled CVE-2007-5380 in bug 195315, which resulted in a GLSA. This bug should therefore result in an errata. Voting YES. TODO: draft errata. This bug does not affect 2008.0 release snapshot, removing release@ from CC. GLSA 200912-02 |