WEBrick, a standard library of Ruby to implement HTTP servers, does a case sensitive match on the :NondisclosureName when accessing files, which will (in the default configuration) disclose files with the file names [".ht*", "*~"] that are on insensitive filesystems (FAT, NTFS, HFS). Fixed in: 1.8.5-p115 1.8.6-p114 Patch for 1.9: ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-1-webrick-vulnerability-fix.diff
dev-lang/ruby-1.8.6_p114 is now in the tree, I've removed 1.8.5 and 1.8.4
Thanks, Richard. Arches, please test and mark stable: =dev-lang/ruby-1.8.6_p114 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86"
ppc64 done
Sparc stable. So far, all as expected.
x86 stable
alpha/ia64 stable
ppc stable
Stable for HPPA.
amd64 stable
Fixed in release snapshot.
CVE-2008-1145 was assigned to this issue.
All supported arches done, ready for vote. I vote NO.
No too, and closing.