Summary: | <dev-ruby/rack-2.2.3: Percent-encoded cookies can be used to overwrite existing prefixed cookie names (CVE-2020-8184) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ajak, ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 692324, 761897 | ||
Bug Blocks: | 730512 |
Description
Hans de Graaff
2020-07-05 07:58:36 UTC
dev-ruby/rack-2.1.4 and dev-ruby/rack-2.2.3 have been added. ppc/ppc64 stable sparc stable arm stable x86 stable amd64 stable hppa stable Cleanup is currently on hold as we still have some packages that depend on the old slots (notable dev-ruby/bcat and dev-ruby/faraday). (In reply to Hans de Graaff from comment #8) > Cleanup is currently on hold as we still have some packages that depend on > the old slots (notable dev-ruby/bcat and dev-ruby/faraday). Thanks. Is there a bug to block on or just wait for you to let us know? (XSS => noglsa). dev-ruby/bcat was treecleaned and dev-ruby/faraday doesn't appear to depend on slotted rack, are we able to cleanup here now? (In reply to John Helmert III (ajak) from comment #11) > dev-ruby/bcat was treecleaned and dev-ruby/faraday doesn't appear to depend > on slotted rack, are we able to cleanup here now? Unfortunately not. It turns out that there are more dependencies out there. I have fixed a number of these today and as far as I can tell now the only remaining blocker is sinatra. Current status: rack 1.6: now masked for removal. rack 2.0: pending sinatra-2.0.8.1 removal which depends on bug 692324 rack 2.1: pending sinatra-2.1.0 stable (added 2020-09-19, needs some time in testing) Resetting sanity check; keywords are not fully specified and arches are not CC-ed. The remaining insecure rack slot have now been masked for removal: # Hans de Graaff <graaff@gentoo.org> (2020-12-29) # These slots masked for removal in 30 days due to # security issues, bug 730786 # Use a newer slot instead. dev-ruby/rack:2.0 dev-ruby/rack:2.1 Tree is clean, all done! |