An advisory has been issued on November 5: https://www.openwall.com/lists/oss-security/2018/11/05/1 The issue is fixed upstream in 2.0.6.
An advisory has been issued on November 5: https://www.openwall.com/lists/oss-security/2018/11/05/2 The issue is fixed upstream in 2.0.6 and 1.6.11. Mageia 6 is also affected (by only this issue).
Whiteboard: (none) => MGA6TOOSummary: ruby-rack new security issue CVE-2018-16470 => ruby-rack new security issues CVE-2018-1647[01]
Cauldron was updated yesterday
Indeed it was.
Source RPM: ruby-rack-2.0.5-2.mga7.src.rpm => ruby-rack-1.6.4-3.mga6.src.rpmSummary: ruby-rack new security issues CVE-2018-1647[01] => ruby-rack new security issues CVE-2018-16471Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
I have uploaded 1.6.11 to 6/core/updates_testing as compared to 1.6.4 we had it has several bugfix releases.
Also, I only did minimal testing: $ cat c.ru run Proc.new { |env| ['200', {'Content-Type' => 'text/plain'}, ["Foo\n"]] } $ rackup c.ru & [1] 20283 [2018-11-11 17:40:18] INFO WEBrick 1.4.2 [2018-11-11 17:40:18] INFO ruby 2.5.3 (2018-10-18) [x86_64-linux] [2018-11-11 17:40:18] INFO WEBrick::HTTPServer#start: pid=20283 port=9292 $ GET http://127.0.0.1:9292/ 127.0.0.1 - - [11/Nov/2018:17:40:33 +0000] "GET / HTTP/1.1" 200 - 0.0004 Foo $ fg rackup c.ru ^C[2018-11-11 17:40:37] INFO going to shutdown ... [2018-11-11 17:40:37] INFO WEBrick::HTTPServer#start done.
Advisory: ======================== Updated ruby-rack packages fix security vulnerability: There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to "http" or "https" and do not escape the return value could be vulnerable to an XSS attack (CVE-2018-16471). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16471 https://www.openwall.com/lists/oss-security/2018/11/05/2 ======================== Updated packages in core/updates_testing: ======================== ruby-rack-1.6.11-1.mga6 ruby-rack-doc-1.6.11-1.mga6 from ruby-rack-1.6.11-1.mga6.src.rpm
CC: (none) => pterjanAssignee: pterjan => qa-bugs
Mageia 6, x86_64 No exploit posted. Ran Pascal's tests, which echo the examples at https://rack.github.io/ More information at https://thoughtbot.com/upcase/videos/rack. Install ruby-rdoc (if it is not there already). Copied the middleware logging example and ran it after installing the 'thin' gem. Don't how how or if it is bundled with Mageia ruby so went for the gem. $ sudo gem install thin Updated ruby rack from testing. $ cat rackapp.rb require 'rack' app = Proc.new do |env| ['200', {'Content-Type' => 'text/html'}, ['A barebones rack app.']] end Rack::Handler::WEBrick.run app Ran the script: $ rackup rackapp.rb [2018-11-12 20:17:48] INFO WEBrick 1.3.1 [2018-11-12 20:17:48] INFO ruby 2.2.10 (2018-03-28) [x86_64-linux] [2018-11-12 20:17:48] INFO WEBrick::HTTPServer#start: pid=22925 port=8080 localhost - - [12/Nov/2018:20:18:15 GMT] "GET / HTTP/1.1" 200 21 Pointed the browser at localhost:8080/ and saw "A barebones rack app." on a clean page. Also tried the other example: $ cat config.ru run Proc.new { |env| ['200', {'Content-Type' => 'text/html'}, ["get rack\'d\n"]] } $ rackup config.ru Thin web server (v1.7.2 codename Bachmanity) Maximum connections set to 1024 Listening on localhost:9292, CTRL+C to stop In another terminal: $ GET http://127.0.0.1:9292/ get rack'd Ran the attached script. $ ruby logging.rb Thin web server (v1.7.2 codename Bachmanity) Maximum connections set to 1024 Listening on localhost:8080, CTRL+C to stop Typed localhost:8080/ in the browser address bar and saw the message: Hello World App took 3 seconds. Hey, it can do HelloWorld! Must be OK.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Created attachment 10469 [details] HelloWorld application for ruby-rack Open a browser at localhost:8080/ after running it.
Advisory from comment 6. Validating also.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0449.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Ubuntu advisory from August 7, for reference: https://usn.ubuntu.com/4089-1/