OpenSuSE has issued an advisory today (November 26): http://lists.opensuse.org/opensuse-updates/2014-11/msg00105.html The issue is fixed upstream in 2.10.2 and 2.12.2, among others. Mageia 4 is also affected. The Novell bug has more information and a patch for the 2.12 series: https://bugzilla.suse.com/show_bug.cgi?id=903658 Reproducible: Steps to Reproduce:
CC: (none) => fundawangWhiteboard: (none) => MGA4TOO
URL: (none) => http://lwn.net/Vulnerabilities/623208/
2.12.3 last month fixed another security issue: 2.12.3 (October 28, 2014) Security: Fix directory traversal bug in development mode server. 2.12.2 (September 5, 2014) Ensure internal asset lookups calls are still restricted to load paths within asset compiles. Though, you should not depend on internal asset resolves to be completely restricted for security reasons. Assets themselves should be considered full scripting environments with filesystem access.
2.12.3 submitted to cauldron, I'll look at updates
Just for reference, OpenSuSE has issued advsiories for more recent versions of sprockets today (November 27): http://lists.opensuse.org/opensuse-updates/2014-11/msg00110.html http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html
(In reply to Pascal Terjan from comment #2) > 2.12.3 submitted to cauldron, I'll look at updates Ping...
CC: (none) => mageia
Dropped from cauldron for now, resubmit if mga4 is fixed and there is maintainer who cares about it..
Hardware: i586 => AllVersion: Cauldron => 4Whiteboard: MGA4TOO => (none)
Patched package uploaded for Mageia 4 by Pascal. Thanks Pascal! Advisory: ======================== Updated ruby-sprockets packages fix security vulnerabilities: Multiple directory traversal vulnerabilities in server.rb in Sprockets 2.12.x before 2.12.3, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with double slashes or URL encoding (CVE-2014-7819). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7819 http://lists.opensuse.org/opensuse-updates/2014-11/msg00111.html ======================== Updated packages in core/updates_testing: ======================== ruby-sprockets-2.10.0-4.1.mga4 ruby-sprockets-doc-2.10.0-4.1.mga4 from ruby-sprockets-2.10.0-4.1.mga4.src.rpm
CC: (none) => pterjanAssignee: pterjan => qa-bugs
MGA4-64 on HP Probook 6555b. No installation issues. On CLI: urpmq --urpmq --whatrequires ruby-sprockets ruby-sprockets ruby-sprockets-doc ruby-sprockets-rails ruby-sprockets-rails. So I haved no idea how to test this.
CC: (none) => herman.viaene
I unfortunately have no idea either. They have unit tests that are not shipped in the relase...
Whiteboard: (none) => MGA4-64-OK
MGA4-32 on Acer D620 No installation issues.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Len any ideas on this one?
Advisory uploaded.
Whiteboard: MGA4-64-OK MGA4-32-OK => advisory MGA4-64-OK MGA4-32-OK
to Claire comment 10 Not off-hand. The problem is I have no time to spare for QA right now because of a deadline concerning the Scottish Court and appointments with solicitors over the business of probate. Documents to sort out and a final account to prepare. Time consuming work for me. However, I shall try to have a quick look this evening. It is not familiar territory.
CC: (none) => tarazed25
Rack-based asset packaging system that concatenates and serves JavaScript, CoffeeScript, CSS, LESS, Sass, and SCSS. https://www.ruby-toolbox.com/projects/sprockets http://en.wikipedia.org/wiki/Rack_(web_server_interface) So, it might need Rack as a web server. No ideas at this point.
Alright Len, thanks for looking. I'll validate it later.
Validating. Advisory already uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0074.html
Status: NEW => RESOLVEDResolution: (none) => FIXED