Updated ruby-rest-client packages fix security vulnerabilities
Publication date: 15 May 2015Modification date: 15 May 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-1820 , CVE-2015-3448
Description
Updated ruby-rest-client packages fix security vulnerability:
When Ruby rest-client processes an HTTP redirection response, it blindly
passes along the values from any Set-Cookie headers to the redirection target,
regardless of domain, path, or expiration. This can be used in a session
fixation attack or in stealing cookies (CVE-2015-1820).
REST Client for Ruby contains a flaw that is due to the application logging
password information in plaintext. This may allow a local attacker to gain
access to password information (CVE-2015-3448).
The ruby-rest-client package has been updated to version 1.8.0, fixing these
issues and several other bugs. Refer to the upstream changelog for more
details.
References
- https://bugs.mageia.org/show_bug.cgi?id=15560
- https://github.com/rest-client/rest-client/blob/master/history.md
- https://bugzilla.redhat.com/show_bug.cgi?id=1205291
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00026.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1820
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3448
SRPMS
4/core
- ruby-rest-client-1.8.0-2.mga4
- ruby-netrc-0.10.3-1.mga4
- ruby-http-cookie-1.0.2-1.mga4