332957 – (CVE-2010-0541) <dev-lang/{ruby-1.8.7_p302, ruby-enterprise-1.8.7.2010.02-r1}; <dev-lang/jruby-1.5.2: WEBrick XSS (CVE-2010-0541)

Bug 332957 (CVE-2010-0541) - <dev-lang/{ruby-1.8.7_p302, ruby-enterprise-1.8.7.2010.02-r1}; <dev-lang/jruby-1.5.2: WEBrick XSS (CVE-2010-0541)

Summary: <dev-lang/{ruby-1.8.7_p302, ruby-enterprise-1.8.7.2010.02-r1}; <dev-lang/jrub...

Status:	RESOLVED FIXED

Alias:	CVE-2010-0541

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.ruby-lang.org/en/news/2010...
Whiteboard:	A4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-08-16 08:20 UTC by Alex Legler (RETIRED)
Modified:	2010-09-07 19:09 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2010-08-16 08:20:47 UTC

From $URL:

WEBrick have had a cross-site scripting vulnerability that allows an attacker to inject arbitrary script or HTML via a crafted URI. This does not affect user agents that strictly implement HTTP/1.1, however, some user agents do not.

The affected versions are:

    * Ruby 1.8.6-p399 or any prior releases.
    * Ruby 1.8.7-p299 or any prior releases.
    * Ruby 1.9.1-p429 or any prior releases.
    * Ruby 1.9.2 RC2 or any prior releases.
    * Development versions of Ruby 1.9 (1.9.3dev).

We recommend you to upgrade your ruby to the newest patch level releases.

Comment 1 Alex Legler (RETIRED) archtester

2010-08-16 08:22:44 UTC

1.8.6 → backport
1.8.7 → update to _p302
1.9.2_rc2 → backport (~arch + p.masked)

Comment 2 Alex Legler (RETIRED) archtester

2010-08-21 14:40:26 UTC

Arches, please test and mark stable:
=dev-lang/ruby-1.8.7_p302
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2010-08-21 16:13:28 UTC

Stable for HPPA PPC.

Comment 4 Markos Chandras (RETIRED) gentoo-dev

2010-08-21 16:52:14 UTC

amd64 done

Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-08-21 18:40:16 UTC

x86 stable

Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev

2010-08-22 15:18:12 UTC

dev-lang/jruby is also affected; I've added the 1.5.2 version to the tree, which solves it, and should be ready to go stable for x86/amd64.

The problem is with ppc that still got an ancient jruby version that is not even compatible with the ruby-ng system... I guess they might want to remove the 1.3.1-r1 ebuild entirely for now.

Comment 7 Christian Faulhammer (RETIRED) gentoo-dev

2010-08-23 15:00:15 UTC

x86 stable

Comment 8 Markos Chandras (RETIRED) gentoo-dev

2010-08-23 17:19:45 UTC

amd64 done

Comment 9 Markus Meier gentoo-dev

2010-08-23 20:35:18 UTC

arm stable

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2010-08-28 10:20:23 UTC

alpha/ia64/s390/sh/sparc stable

Comment 11 Alex Legler (RETIRED) archtester

2010-09-01 17:27:18 UTC

Fixed in dev-lang/ruby-enterprise-1.8.7.2010.02-r1 (~arch only).

Comment 12 Brent Baude (RETIRED) gentoo-dev

2010-09-06 20:43:13 UTC

ppc64 done

Comment 13 Alex Legler (RETIRED) archtester

2010-09-07 16:57:22 UTC

PPC was done by jer, too. Removing from CC.
GLSA vote: NO

Comment 14 Stefan Behte (RETIRED) gentoo-dev

2010-09-07 19:09:07 UTC

No, too. Closing noglsa.