Bug 23226

Summary: ruby-sinatra new security issue CVE-2018-11627
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Pascal Terjan <pterjan>
Status: RESOLVED WORKSFORME QA Contact: Sec team <security>
Severity: major    
Priority: Normal    
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ruby-sinatra-1.4.6-3.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-06-24 22:57:13 CEST 
Fedora has issued an advisory on June 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OKYNZEZSXKB2SF5DVT2O2M4ONY5JR7MH/

The issue is fixed upstream in 2.0.2.

Mageia 5 is also affected.
Comment 1 Pascal Terjan 2018-07-07 20:19:26 CEST 
Cauldron already has 2.0.3

From reading https://github.com/sinatra/sinatra/issues/1428 it seems only 2.0.0 and 2.0.1 are affected, not older versions

Mageia 6 has 1.4.6 so it seems we are fine
Comment 2 Pascal Terjan 2018-07-07 20:21:43 CEST 
I'll verify later if this is correct

For the record, the commit fixing it is https://github.com/sinatra/sinatra/commit/12786867d6faaceaec62c7c2cb5b0e2dc074d71a
Comment 3 Pascal Terjan 2018-07-07 20:53:29 CEST 
After reading the code, I can confirm the problem doesn't exist in 1.4.6 as the code hadn't been added yet

Status: NEW => RESOLVED
Resolution: (none) => WORKSFORME