Summary: | <dev-ruby/rest-client-1.7.3: plain text passwords are being logged (CVE-2015-3448) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1192504 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-02-16 08:01:18 UTC
There is no upstream consensus on how to fix this properly and the logging in question does not occur by default. We'll wait until upstream has a solution for this. Upstream has released rest-client-1.7.3 which addresses this issue: https://github.com/rest-client/rest-client/issues/349 This version is now in the tree and can be marked stable (with the associated dependencies): =dev-ruby/httpclient-2.5.3.2 =dev-ruby/addressable-2.3.6 =dev-ruby/webmock-1.19.0 =dev-ruby/netrc-0.9.0 =dev-ruby/rest-client-1.7.3 Overlooked one set of required dependencies: =dev-ruby/http_parser_rb-0.6.0 =dev-ruby/http-0.6.3 =dev-ruby/httpclient-2.5.3.2 =dev-ruby/addressable-2.3.6 =dev-ruby/webmock-1.19.0 =dev-ruby/netrc-0.9.0 =dev-ruby/rest-client-1.7.3 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. We cannot remove the old, as app-admin/chef still requires <dev-ruby/rest-client-1.7. I have just masked app-admin/chef for removal but it will take a bit of time for the actual ebuilds to be removed. I have included the vulnerable version of rest-client in the mask. GLSA Vote: No GLSA vote: No Vulnerable versions have been removed. CVE-2015-3448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3448): REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log. |