A security issue fixed upstream in Rack was announced on June 16: http://www.openwall.com/lists/oss-security/2015/06/16/14 The issue is fixed in version 1.5.4 and the patches are included in the message above. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => fundawangWhiteboard: (none) => MGA5TOO, MGA4TOO
If there is no progress in one week then the following packages will be dropped as they depend on ruby-rack: ruby-capybara ruby-cucumber-rails ruby-github_api ruby-oauth2 ruby-omniauth ruby-rack ruby-rack-cache ruby-rack-openid ruby-rack-protection ruby-rack-ssl ruby-rack-test ruby-shotgun ruby-sinatra ruby-sprockets ruby-thin ruby-unicorn ruby-yard
CC: (none) => mageia
Dropped from cauldron.
Hardware: i586 => AllVersion: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Severity: normal => major
I synced this commit in Fedora to fix it: http://pkgs.fedoraproject.org/cgit/rubygem-rack.git/commit/?h=f21&id=5586d9219ad447151662fbd2203fc674dfafd232 Advisory: ======================== Updated ruby-rack packages fix security vulnerability: lib/rack/utils.rb in Rack before 1.5.4 allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth (CVE-2015-3225). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3225 https://lists.fedoraproject.org/pipermail/package-announce/2015-August/165180.html ======================== Updated packages in core/updates_testing: ======================== ruby-rack-1.5.2-5.1.mga4 ruby-rack-doc-1.5.2-5.1.mga4 ruby-rack-1.5.2-7.1.mga5 ruby-rack-doc-1.5.2-7.1.mga5 from SRPMS: ruby-rack-1.5.2-5.1.mga4.src.rpm ruby-rack-1.5.2-7.1.mga5.src.rpm
Assignee: pterjan => qa-bugs
Does this mean it can be undropped from cauldron, or is the fact that we couldn't secure it in a timely manner still means we can't support it?
If someone actually plans to maintain it and wants to bring it back, that's fine. Otherwise it won't be brought back unless it's needed for some reason. My interpretation after doing this update is that this package should have been dropped before Mageia 5, when ruby on rails was dropped, but I just missed it.
(In reply to David Walser from comment #5) > If someone actually plans to maintain it and wants to bring it back, that's > fine. Otherwise it won't be brought back unless it's needed for some > reason. My interpretation after doing this update is that this package > should have been dropped before Mageia 5, when ruby on rails was dropped, > but I just missed it. Should this then be just test for successful install then ensure a successful update?
CC: (none) => wilcal.int
(In reply to William Kenney from comment #6) > Should this then be just test for successful install then ensure > a successful update? That's a yes for this and most of the current update candidates.
(In reply to David Walser from comment #7) > That's a yes for this and most of the current update candidates. Lets tag which ones those are at todays QA meeting.
In VirtualBox, M4, KDE, 32-bit Package(s) under test: ruby-rack default install of ruby-rack [root@localhost wilcal]# urpmi ruby-rack Package ruby-rack-1.5.2-5.mga4.noarch is already installed ruby-rack installs cleanly. install ruby-rack from updates_testing For some reason neither the MCC nor urpmi ( urpmi ruby-rack ) sees the ruby-rack-1.5.2-5.1.mga4 package in the updates_testing repo. Even though it's there.
In VirtualBox, M4, KDE, 32-bit change to mirrors.kernel.org repo Package(s) under test: ruby-rack default install of ruby-rack [root@localhost wilcal]# urpmi ruby-rack Package ruby-rack-1.5.2-5.mga4.noarch is already installed ruby-rack installs cleanly. install ruby-rack from updates_testing [root@localhost wilcal]# urpmi ruby-rack Package ruby-rack-1.5.2-5.1.mga4.noarch is already installed ruby-rack updates cleanly
Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit change to mirrors.kernel.org repo Package(s) under test: ruby-rack ruby-rack-doc default install of ruby-rack ruby-rack-doc [root@localhost wilcal]# urpmi ruby-rack Package ruby-rack-1.5.2-5.mga4.noarch is already installed [root@localhost wilcal]# urpmi ruby-rack-doc Package ruby-rack-doc-1.5.2-5.mga4.noarch is already installed ruby-rack installs cleanly. install ruby-rack from updates_testing [root@localhost wilcal]# urpmi ruby-rack Package ruby-rack-1.5.2-5.1.mga4.noarch is already installed [root@localhost wilcal]# urpmi ruby-rack-doc Package ruby-rack-doc-1.5.2-5.1.mga4.noarch is already installed ruby-rack & ruby-rack-doc updates cleanly
Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: ruby-rack ruby-rack-doc default install of ruby-rack & ruby-rack-doc [root@localhost wilcal]# urpmi ruby-rack Package ruby-rack-1.5.2-7.mga5.noarch is already installed [root@localhost wilcal]# urpmi ruby-rack-doc Package ruby-rack-doc-1.5.2-7.mga5.noarch is already installed ruby-rack & ruby-rack-doc install cleanly. install ruby-rack & ruby-rack-doc from updates_testing [root@localhost wilcal]# urpmi ruby-rack Package ruby-rack-1.5.2-7.1.mga5.noarch is already installed [root@localhost wilcal]# urpmi ruby-rack-doc Package ruby-rack-doc-1.5.2-7.1.mga5.noarch is already installed ruby-rack & ruby-rack-doc update cleanly
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: ruby-rack ruby-rack-doc default install of ruby-rack & ruby-rack-doc [root@localhost wilcal]# urpmi ruby-rack Package ruby-rack-1.5.2-7.mga5.noarch is already installed [root@localhost wilcal]# urpmi ruby-rack-doc Package ruby-rack-doc-1.5.2-7.mga5.noarch is already installed ruby-rack & ruby-rack-doc install cleanly. install ruby-rack & ruby-rack-doc from updates_testing [root@localhost wilcal]# urpmi ruby-rack Package ruby-rack-1.5.2-7.1.mga5.noarch is already installed [root@localhost wilcal]# urpmi ruby-rack-doc Package ruby-rack-doc-1.5.2-7.1.mga5.noarch is already installed ruby-rack & ruby-rack-doc update cleanly
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
This bug updates cleanly. Testing complete for MGA4 & MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0346.html
Status: NEW => RESOLVEDResolution: (none) => FIXED