Summary: | <dev-ruby/rails-{2.2.3, 2.3.4} XSS, Timing issue (CVE-2009-{3009,3086}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ruby |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://weblog.rubyonrails.org/2009/9/4/ruby-on-rails-2-3-4 | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-09-01 11:19:19 UTC
I'd say we wait until the official release, prepare for a 0-day bump and call arches after that. It's "just" XSS and we only have a little over two days. Prestabling would be an overkill imo. Hans? Sounds good to me in principle, yes. My two worries based on past upstream performance are: a) whether they will actually have new releases ready in time (last time took weeks after the announcement), and b) whether the new releases contain only the security fix. Last time their release also included a lot of other changed code which caused issues. I agree with Alex's strategy. If it turns out on the day itself that we don't trust the new release or it isn't ready we can create a bump at that time ourselves. I've just added Rails 2.3.4 to the tree. I've run the specs and features with it for our two major applications and both seem to work as expected. As far as I can tell Rails 2.2.3 has not been released yet. This is now public per $URL. CVE-2009-3086 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3086): A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. My testing hasn't resulted in any issues, so as far as I'm concerned we are good to go here with stabilization. Arches, please test and mark stable: =dev-ruby/rails-2.3.4 =dev-ruby/activerecord-2.3.4 =dev-ruby/activeresource-2.3.4 =dev-ruby/activesupport-2.3.4 =dev-ruby/actionmailer-2.3.4 =dev-ruby/actionpack-2.3.4 Target keywords : "amd64 ia64 ppc ppc64 sparc x86" We also need a newer rubygems stable, stabling of that via bug 284911. amd64/x86 stable ia64/sparc stable ppc stable ppc64 done Arches, please test and mark stable: =dev-ruby/rails-2.2.3 =dev-ruby/activerecord-2.2.3 =dev-ruby/activeresource-2.2.3 =dev-ruby/activesupport-2.2.3 =dev-ruby/actionmailer-2.2.3 =dev-ruby/actionpack-2.2.3" Target keywords : "amd64 ia64 ppc ppc64 sparc x86" x86 stable amd64 stable ia64/sparc stable ppc64 done ppc stable GLSA together with bug 237385. GLSA 200912-02 |