From ${URL} : Marcus Meissner of SuSE reports: The latest version of rack-ssl rubygem (1.4.0) contains a commit that fixes a XSS vulnerability in the error page. Please note that this requires an adaptor to send a malformed URL to rack-ssl. External reference: https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
rack-ssl 1.4.0 is now in the tree. Removal of the vulnerable version is not trivial since Rails 3.2 depends specifically on this version. We'll investigate and see if we can fix this.
rack-ssl 1.3.4 has been released with a fix for this issue as well, added to the tree. Vulnerable version has been removed.
Maintainer(s), Thank you for cleanup! No GLSA needed as there are no stable versions.
CVE-2014-2538 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2538): Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack.