Bug 12387

Summary:	ruby-will_paginate new security issue CVE-2013-6459
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	makowski.mageia, pterjan, sysadmin-bugs, tmb
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/581552/
Whiteboard:	has_procedure advisory mga3-32-ok mga3-64-ok
Source RPM:	ruby-will_paginate-3.0.3-6.mga4.src.rpm	CVE:
Status comment:

Description David Walser 2014-01-21 20:56:43 CET

Fedora has issued an advisory on January 3:
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126924.html

The issue is fixed in 3.0.5, and Fedora has patches for this:
http://pkgs.fedoraproject.org/cgit/rubygem-will_paginate.git/commit/?h=f20&id=268414b393f20dfdeffad4e8ffb896fdbc0bbbf3
http://pkgs.fedoraproject.org/cgit/rubygem-will_paginate.git/commit/?h=f20&id=9d30639e43f56bbe9bb61ec0ac2c503cace845db

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2014-01-21 20:57:15 CET

CC: (none) => pterjan
Blocks: (none) => 11726
Whiteboard: (none) => MGA3TOO

Comment 1 Philippe Makowski 2014-01-25 13:22:05 CET

Advisory:
========================

Updated ruby-will_paginate packages fix security vulnerability:
Cross-Site Scripting (XSS) vulnerabilities were found in
will_paginate gem for Ruby, where certain input related to
generated pagination links were not properly sanitised before being
returned. This could be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected
site. (CVE-2013-6459).


References:

https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126924.html
CVE Request:
http://seclists.org/oss-sec/2013/q4/550

Updated packages in core/updates_testing:
========================

ruby-will_paginate-doc-3.0.3-3.1.mga3.noarch.rpm
ruby-will_paginate-3.0.3-3.1.mga3.noarch.rpm

from ruby-will_paginate-3.0.3-3.1.mga3.src.rpm


Freeze push asked for ruby-will_paginate-3.0.5-1.mga4

CC: (none) => makowski.mageia
Assignee: fundawang => qa-bugs

Comment 2 David Walser 2014-01-25 16:30:47 CET

Thanks Philippe!  I'll leave it blocking the tracker until it's pushed in Cauldron.

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 3 David Walser 2014-01-25 17:10:38 CET

I don't see a freeze push request on the mailing list.

Comment 4 David Walser 2014-01-25 20:10:34 CET

ruby-will_paginate-3.0.5-1.mga4 uploaded for Cauldron.

Blocks: 11726 => (none)

Comment 5 claire robinson 2014-02-11 14:53:25 CET

This is really a rails thing so testing will be limited to ensuring it updates cleanly and loads in irb.

Testing complete mga3 32 & 64

$ irb
irb(main):001:0> require 'will_paginate'
=> true

Whiteboard: (none) => has_procedure mga3-32-ok mga3-64-ok

Comment 6 claire robinson 2014-02-11 14:59:09 CET

Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-02-11 23:53:06 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0054.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED