Bug 688868

Summary:	<dev-ruby/yard-0.9.20: path traversal vulnerability in yard server
Product:	Gentoo Security	Reporter:	Hans de Graaff <graaff>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ruby
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa]
Package list:	dev-ruby/yard-0.9.20	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	684080

Description Hans de Graaff gentoo-dev

2019-06-28 04:46:16 UTC

https://github.com/lsegal/yard/blob/master/CHANGELOG.md

Fix path traversal vulnerability in yard server. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. Thanks to CuongMX from Viettel Cyber Security for discovering this vulnerability.

Fixed in yard 0.9.20.

Comment 1 Agostino Sarubbo gentoo-dev

2019-06-28 15:22:33 UTC

x86 stable

Comment 2 Rolf Eike Beer archtester

2019-06-28 20:59:24 UTC

sparc stable

Comment 3 Agostino Sarubbo gentoo-dev

2019-06-29 13:03:42 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2019-07-02 10:12:55 UTC

alpha stable

Comment 5 Agostino Sarubbo gentoo-dev

2019-07-02 12:35:40 UTC

ia64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2019-07-02 12:37:12 UTC

ppc64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2019-07-02 14:03:16 UTC

ppc stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2019-07-02 18:43:34 UTC

hppa stable

Comment 9 Mikle Kolyada (RETIRED) archtester

2019-07-28 13:45:18 UTC

arm stable

Comment 10 Hans de Graaff gentoo-dev

2019-07-28 15:29:14 UTC

Vulnerable versions have been removed.

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-27 00:00:41 UTC

GLSA Vote: No!

Repository is clean, all done!