Bug 30014

Summary: ruby-selenium-webdriver new security issues fixed upstream in 4 (CVE-2022-2810[89])
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Pascal Terjan <pterjan>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO
Source RPM: ruby-selenium-webdriver-3.142.7-1.mga8.src.rpm CVE:
Status comment: Fixed upstream in 4

Description David Walser 2022-02-08 22:14:53 CET 
Security issues have been announced on February 7:
https://www.openwall.com/lists/oss-security/2022/02/07/3

It sounds like it's referring to the ruby-selenium-webdriver package as "Selenium server/Grid" and it says the issues have had CVEs requested and are fixed upstream in version 4.

Mageia 8 is also affected.
David Walser 2022-02-08 22:15:04 CET

Status comment: (none) => Fixed upstream in 4
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-02-09 11:56:16 CET 
Coincidence, another for Pascal. Although not officially your baby, you have done this SRPM over the years.

Assignee: bugsquad => pterjan

Comment 2 David Walser 2022-04-16 20:38:30 CEST 
CVE-2022-28108 and CVE-2022-28109 have been assigned:
https://www.openwall.com/lists/oss-security/2022/04/16/1

Summary: ruby-selenium-webdriver new security issues fixed upstream in 4 => ruby-selenium-webdriver new security issues fixed upstream in 4 (CVE-2022-2810[89])

Comment 3 Pascal Terjan 2022-08-10 21:19:32 CEST 
I had missed that bug but I am not sure this ruby package is impacted.

Looking into those 2 CVE they are about a standalone java server: https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/

The ruby part is only a client (see https://www.selenium.dev/downloads/)
Comment 4 David Walser 2022-08-11 01:16:34 CEST 
Looks like you're correct.

Status: NEW => RESOLVED
Resolution: (none) => INVALID