Bug 1039435 (CVE-2013-4492)

Summary: CVE-2013-4492 rubygem-i18n: cross-site scripting flaw in exception handling
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, athomas, ayoung, bdunne, bgollahe, bkabrda, bkearney, bleanhar, briang, cbillett, ccoleman, chrisw, cpelland, dajohnso, dallan, dclarizi, dmcphers, drieden, gkotton, gmccullo, iheim, jdetiber, jfrey, jialiu, jkeck, jokerman, jorton, jprause, jrafanie, jrusnack, jstribny, jvlcek, katello-bugs, kseifried, lhh, lmeyer, markmc, mburns, mmaslano, mmccomas, mmccune, mmcgrath, obarenbo, rbryant, rhos-maint, sclewis, tdawson, tomckay, vondruch, xlecauch, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20131204,reported=20131206,source=suse,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,rhscl-1/ruby193-rubygem-i18n=wontfix,rhscl-1/ror40-rubygem-i18n=wontfix,sam-1/rubygem-i18n=wontfix,sam-1/ruby193-rubygem-i18n=wontfix,cfme-5/rubygem-i18n=wontfix,cfme-5/ruby193-rubygem-i18n=wontfix,openstack-3/ruby193-rubygem-i18n=wontfix,openstack-4/ruby193-rubygem-i18n=wontfix,openshift-enterprise-1/ruby193-rubygem-i18n=wontfix,openshift-enterprise-2/ruby193-rubygem-i18n=wontfix,fedora-all/rubygem-i18n=affected,cwe=CWE-79
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-20 11:56:31 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1039441, 1159436, 1159437    
Bug Blocks: 1039439    

Description Murray McAllister 2013-12-09 00:14:47 EST
A cross-site scripting flaw was found in the Ruby i18n gem. A remote attacker could use this flaw to perform cross-site scripting attacks against other users.

References:

https://github.com/svenfuchs/i18n/commit/92b57b1e4f84adcdcc3a375278f299274be62445
https://bugzilla.novell.com/show_bug.cgi?id=854166
Comment 1 Murray McAllister 2013-12-09 00:32:11 EST
Created rubygem-i18n tracking bugs for this issue:

Affects: fedora-all [bug 1039441]
Comment 2 Fedora Update System 2013-12-19 02:04:33 EST
rubygem-i18n-0.6.0-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2013-12-19 02:05:44 EST
rubygem-i18n-0.6.1-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2013-12-19 02:07:59 EST
rubygem-i18n-0.6.4-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.