Summary: | <dev-ruby/rails-2.2.2: Potential Circumvention of CSRF Protection (CVE-2008-7248) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | azamat.hackimov, ruby |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1 | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Hans de Graaff
2008-11-19 08:54:48 UTC
Not that Rails 2.2. which is also mentioned in the bug report, is not in the tree yet, we'll wait until the fixed 2.2.2 release has come out. My proposal for Rails 2.1.3 is to wait until that version is out, unless this will take too long. It is not clear to me at this point if Rails 1.2.6 and Rails 2.0.5 (which we have in the tree) are also affected. rails-2.2.2 released - see #248915 Well, rails-2.2.2 is now stable, so time for GLSA decision. I vote NO. NO, too. mmh, actually we'll have a GLSA combined with #237385 I revbumped the 2.1 slot to fix this, as there is no 2.1.3 release in sight. Arches, please be so kind and mark dev-ruby/actionpack-2.1.2-r1 stable. ppc64 done amd64/x86 stable ppc done ia64/sparc stable CVE-2008-7248 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7248): Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain. GLSA 200912-02 |