Bug 31416 - ruby-sinatra new security issue CVE-2022-45442
Summary: ruby-sinatra new security issue CVE-2022-45442
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2023-01-17 18:35 CET by David Walser
Modified: 2023-02-07 01:08 CET (History)
6 users (show)

See Also:
Source RPM: ruby-sinatra-3.0.1-1.mga9.src.rpm
Status comment:


Description David Walser 2023-01-17 18:35:58 CET
Debian-LTS has issued an advisory on January 10:

The issue is fixed upstream in 2.2.3 and 3.0.4:

Mageia 8 is also affected.
David Walser 2023-01-17 18:36:15 CET

Status comment: (none) => Fixed upstream in 2.2.3 and 3.0.4
Whiteboard: (none) => MGA8TOO

Comment 1 Pascal Terjan 2023-01-18 22:01:34 CET
Fixed in cauldron by updating to 3.0.4 and in 8 by backporting https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
Comment 2 David Walser 2023-01-19 01:33:35 CET

from ruby-sinatra-

CC: (none) => pterjan
Assignee: pterjan => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 2.2.3 and 3.0.4 => (none)

Comment 3 Herman Viaene 2023-01-19 11:25:59 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
I'm not at all familiar with ruby e.a. but found bug 30542 Comment 4 that I more or less could grasp.
$ cd Documents/
$ mkdir public
$ echo bar > public/foo.html
$ ruby -rsinatra -e "get '/' do 'Hello world'; end"&
[1] 12356
$ [2023-01-19 11:14:03] INFO  WEBrick 1.6.1
[2023-01-19 11:14:03] INFO  ruby 2.7.7 (2022-11-24) [x86_64-linux]
== Sinatra (v2.0.8.1) has taken the stage on 4567 for development with backup from WEBrick
[2023-01-19 11:14:03] INFO  WEBrick::HTTPServer#start: pid=12356 port=4567
This was all feedback on the ruby command and then this terminal session was waiting
On another tab in the terminal I did then
and got on the first tab the feedback - - [19/Jan/2023:11:15:07 +0100] "GET /foo.html HTTP/1.1" 200 4 0.0396 - - [19/Jan/2023:11:15:07 CET] "GET /foo.html HTTP/1.1" 200 4
- -> /foo.html

I expected to see the 'Hello world' somewhere in the feedback, but on the other hand the content of the foo.html appears at the place I expected.
Really not sure what this all means ....

CC: (none) => herman.viaene

Comment 4 Len Lawrence 2023-01-29 18:41:12 CET
@Herman, re comment 3:
The 'Hello world' message does turn up, in a browser at localhost:4567/
No idea how you would progress any further.  Reckon you should pass it.

CC: (none) => tarazed25

Comment 5 Thomas Andrews 2023-02-03 15:31:44 CET
Since no one else is forthcoming, I'm going to give this an OK based on Comments 3 and 4. If that is a problem, please let us know.


Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-06 22:09:28 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-02-07 01:08:31 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.