Advisories ยป MGASA-2015-0227

Updated ruby-rest-client packages fix security vulnerabilities

Publication date: 15 May 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-1820 , CVE-2015-3448


Updated ruby-rest-client packages fix security vulnerability:

When Ruby rest-client processes an HTTP redirection response, it blindly
passes along the values from any Set-Cookie headers to the redirection target,
regardless of domain, path, or expiration.  This can be used in a session
fixation attack or in stealing cookies (CVE-2015-1820).

REST Client for Ruby contains a flaw that is due to the application logging
password information in plaintext. This may allow a local attacker to gain
access to password information (CVE-2015-3448).

The ruby-rest-client package has been updated to version 1.8.0, fixing these
issues and several other bugs.  Refer to the upstream changelog for more