Bug 1164659 (CVE-2014-7829)
Summary: | CVE-2014-7829 rubygem-actionpack: incomplete fix for CVE-2014-7818, arbitrary file existence disclosure | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||
Status: | CLOSED WONTFIX | QA Contact: | |||||||||||
Severity: | low | Docs Contact: | |||||||||||
Priority: | low | ||||||||||||
Version: | unspecified | CC: | abaron, aortega, apatters, apevec, ayoung, bdunne, bkearney, cbillett, ccoleman, chrisw, dajohnso, dallan, dclarizi, dmcphers, gkotton, gmccullo, jfrey, jialiu, joelsmith, jokerman, jorton, jprause, jrafanie, jrusnack, jvlcek, kseifried, lhh, lmeyer, lpeer, markmc, mburns, mmaslano, mmccomas, mmcgrath, obarenbo, rbryant, sclewis, security-response-team, tomckay, vondruch, xlecauch, yeylon | ||||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | rubygem-actionpack 3.2.21, rubygem-actionpack 4.0.12, rubygem-actionpack 4.1.8 | Doc Type: | Bug Fix | ||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2015-01-21 13:54:48 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | 1165077, 1165394 | ||||||||||||
Bug Blocks: | 1164667 | ||||||||||||
Attachments: |
|
Description
Murray McAllister
2014-11-17 05:10:42 UTC
Created attachment 958144 [details]
3.1 patch from upstream
Created attachment 958145 [details]
3.2 patch from upstream
Created attachment 958146 [details]
4.0 patch from upstream
Created attachment 958147 [details]
4.1 patch from upstream
This is public now: http://seclists.org/oss-sec/2014/q4/648 Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1165077] Upstream announcement: http://weblog.rubyonrails.org/2014/11/17/Rails-3-2-21-4-0-12-and-4-1-8-have-been-released/ Upstream commits (3.2, 4.0, 4.1): https://github.com/rails/rails/commit/307402febd448646df796e7dabbbaa5734f641aa https://github.com/rails/rails/commit/0d0bc45188425016458e6408e517e7fc1784de49 https://github.com/rails/rails/commit/bd697a108a16199065363e58abeed3747a80e30f rubygem-actionpack-4.1.5-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. rubygem-actionpack-4.0.0-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |