MGASA-2015-0227

Description

Updated ruby-rest-client packages fix security vulnerabilities Updated ruby-rest-client packages fix security vulnerability: When Ruby rest-client processes an HTTP redirection response, it blindly passes along the values from any Set-Cookie headers to the redirection target, regardless of domain, path, or expiration. This can be used in a session fixation attack or in stealing cookies (CVE-2015-1820). REST Client for Ruby contains a flaw that is due to the application logging password information in plaintext. This may allow a local attacker to gain access to password information (CVE-2015-3448). The ruby-rest-client package has been updated to version 1.8.0, fixing these issues and several other bugs. Refer to the upstream changelog for more details.

Affected Systems

• mageia•ruby-http-cookie

  < 1.0.2-1.mga4

• mageia•ruby-netrc

  < 0.10.3-1.mga4

• mageia•ruby-rest-client

  < 1.8.0-2.mga4

References (5)

• https://advisories.mageia.org/MGASA-2015-0227.html
• https://bugs.mageia.org/show_bug.cgi?id=15560
• https://github.com/rest-client/rest-client/blob/master/history.md
• https://bugzilla.redhat.com/show_bug.cgi?id=1205291
• http://lists.opensuse.org/opensuse-updates/2015-04/msg00026.html