Bug 152768

The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly
PStore, creates files with insecure permissions, which can allow local users to
steal session information and hijack sessions.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130065
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130063



------- Additional Comments From dwb7.edu 2004-08-31 12:22:30 ----

There's a patch in there... somewhere. It seems RH has rpms which fix the issue,
but haven't managed to find them anywhere, yet. We most likely would want the
patch from the 2.1AS rpms.



------- Additional Comments From dom 2004-09-30 04:59:31 ----

RHEL updates: http://rhn.redhat.com/errata/RHSA-2004-441.html



------- Additional Comments From marcdeslauriers 2004-10-08 19:07:24 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updates packages to QA for 73, 9 and fc1.

Can someone test these? I have no idea how...

Changelog:
* Fri Oct 08 2004 Marc Deslauriers <marcdeslauriers> - 1.6.8-6.legacy
- - Added security patch for CAN-2004-0755

9574a19d2c71eabbc803e0f85f233ca50742628c  7.3/ruby-1.6.7-3.legacy.i386.rpm
3a57129ccf1a05c765da7e1b1c17f45154916f07  7.3/ruby-1.6.7-3.legacy.src.rpm
0e20c33f93bbd2d972f2ee5223ace915afffd56b  7.3/ruby-devel-1.6.7-3.legacy.i386.rpm
880397b2d5811740d13f1fbd29fe2be0460253c3  7.3/ruby-docs-1.6.7-3.legacy.i386.rpm
f936fb781f44b4d33ee6ba95e282f2a195d83ad4  7.3/ruby-libs-1.6.7-3.legacy.i386.rpm
6f31b6e242a381e8e1f6f3cedc81fc2475a34ba1  7.3/ruby-mode-1.6.7-3.legacy.i386.rpm
cf28acb2e616cf684f9576a937456bf8cbe01f35 
7.3/ruby-mode-xemacs-1.6.7-3.legacy.i386.rpm
a451ede03c0bcfd38c303ae95dd6fc3f86de79ac  7.3/ruby-tcltk-1.6.7-3.legacy.i386.rpm
53794fd8418983a399bc04a3d0d1f4c33661ad91  7.3/irb-1.6.7-3.legacy.i386.rpm
801d9823b8033d91769d234d2af4b9801ac8dd48  9/ruby-1.6.8-6.legacy.i386.rpm
4920a23d4ea8028262ad28d9d000eb4c69c924d6  9/ruby-1.6.8-6.legacy.src.rpm
0e4992871d66819dcccbe6bf7c0094c0ca9acc42  9/ruby-devel-1.6.8-6.legacy.i386.rpm
2783c63aecd5cb9ee03e50bb46cb176ba53b1796  9/ruby-docs-1.6.8-6.legacy.i386.rpm
f8f3de5f25223e8703cc2decdb6f24d7f16a2d54  9/ruby-libs-1.6.8-6.legacy.i386.rpm
0da88f7615e1dd1530560f0df920e883467f6c5e  9/ruby-mode-1.6.8-6.legacy.i386.rpm
cbc70125edce1b608fe3c7352f5b5d14286bd0a2  9/ruby-tcltk-1.6.8-6.legacy.i386.rpm
1db8283fef9da3837d7be2d30ea652cb3b1c118f  9/irb-1.6.8-6.legacy.i386.rpm
14280217972dd9952f1daf89a3419b4c1696e9c5  1/ruby-1.8.0-2.legacy.i386.rpm
41a6c751ea7211928bbd66b65607ba5ea653fa1b  1/ruby-1.8.0-2.legacy.src.rpm
0c7eb2577988ad4da4211a43e216910ca966c39d  1/ruby-devel-1.8.0-2.legacy.i386.rpm
35748b4ca229f46a4b1b74d9e1b28d92f414b646  1/ruby-docs-1.8.0-2.legacy.i386.rpm
fa0e0daea139cef5216379e5edbae472ece4fffe  1/ruby-libs-1.8.0-2.legacy.i386.rpm
7edc9bc840fbd6de32124102f17a1120244fbadb  1/ruby-mode-1.8.0-2.legacy.i386.rpm
ee857a8272f2466c74a97ce8dab8d113201444e4  1/ruby-tcltk-1.8.0-2.legacy.i386.rpm
37802344579000cb957b48f784c361b9069a4af1  1/irb-1.8.0-2.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/
http://www.infostrategique.com/linuxrpms/legacy/9/
http://www.infostrategique.com/linuxrpms/legacy/1/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBZ3IlLMAs/0C4zNoRAgCoAJ43TpbICmvrJeJYzaUg5FnhES6mAQCfcjCm
v1mOXgwSdrZx8nT+aBnN3W0=
=MDpH
-----END PGP SIGNATURE-----




------- Additional Comments From josh.kayse.edu 2004-11-08 05:17:58 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package:

41a6c751ea7211928bbd66b65607ba5ea653fa1b  ruby-1.8.0-2.legacy.src.rpm

- - source identical to previous release
- - patch looks good
- - builds cleanly
- - installs clean
- - spec file looks good
- - runs fine

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBj44JwnUFCSDmt7ERAuPoAKCW+XKNBG/Nf12cOIyMx8HalWaaHACfaLEc
NdTOvfgOg+OTPW1bgrGK/Qk=
=fxqi
-----END PGP SIGNATURE-----




------- Additional Comments From fedora-legacy-bugzilla-2004 2004-11-08 18:08:21 ----

A new vulnerability has been discovered in Ruby, which can be exploited by
malicious people to cause a DoS from remote. (CAN-2004-0983)

http://secunia.com/advisories/13123/



------- Additional Comments From deisenst 2004-11-09 18:41:27 ----

Created an attachment (id=917)
Fixes CAN-2004-0983, CGI DoS

Attachment taken from RedHat Bugzilla, bug # 138366
   http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138366



------- Additional Comments From deisenst 2004-11-09 18:50:51 ----

With the above patch, can someone see if they apply well to the various sources,
and re-submit .src.rpm packages?   -David



------- Additional Comments From deisenst 2004-11-19 03:16:07 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package for QA for Fedora Core 1:

 SHA1SUM                                   NAME
 ========================================  ===========================
 dedbc81c755c67ee02a43e0f8f25473dd8fe3917  ruby-1.8.0-3.legacy.src.rpm

http://members.gtw.net/~deisenst/legacy/FC1/SRPMS/ruby-1.8.0-3.legacy.src.rpm

 ===============
Changelog:
* Wed Nov 17 2004 David Eisenstein <deisenst> 1.8.0-3.legacy
- - Added security patch for CAN-2004-0983
                                                                                
* Fri Oct  8 2004 Marc Deslauriers <marcdeslauriers> 1.8.0-2.legacy
- - Added security patch for CAN-2004-0755
- - Disabled make test (for some reason, doesn't always work)

Ruby interpreter on my machine seem to work for the sample .rb script files.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBnfEpxou1V/j9XZwRAnzhAKDPcOhWNmWuwcz/qFGB7NfYw94pUACg3ri/
Mbr6ZqiHXHCbfWz/dvk59u4=
=9vDf
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers.edu 2004-11-19 10:33:15 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on david's fc1 package:
dedbc81c755c67ee02a43e0f8f25473dd8fe3917  ruby-1.8.0-3.legacy.src.rpm
  
sha1sum ok
source files ok (compared to ruby-1.8.0-1)
spec file ok
patch for CAN-2004-0983 looks good (the same as ruby-1.8.1-6.FC2.0)
builds fine. (one innocuous file listed twice warning)
cra's rpm-build-compare script looks good
installs ok
runs ok (at least the minesweeper demo did)
  
but is the patch for CAN-2004-0755 complete?  i don't know ruby
so i'm not really sure.
 
gentoo is using this patch for CAN-2004-0755:
 
from:
http://darkstar.ist.utl.pt/gentoo/portage/dev-lang/ruby/files/ruby-1.8.0-CGI::Session.patch
 
diff -urN ruby-1.8.0.orig/lib/cgi/session/pstore.rb
ruby-1.8.0/lib/cgi/session/pstore.rb
- --- ruby-1.8.0.orig/lib/cgi/session/pstore.rb 2003-07-15 14:38:05.000000000
+0900
+++ ruby-1.8.0/lib/cgi/session/pstore.rb        2004-08-19 22:00:06.000000000
+0900
@@ -32,6 +32,9 @@
          @hash = {}
        end
        @p = ::PStore.new path
+       @p.transaction do |p|
+         File.chmod(0600, p.path)
+       end
       end
  
       def restore
diff -urN ruby-1.8.0.orig/lib/cgi/session.rb ruby-1.8.0/lib/cgi/session.rb
- --- ruby-1.8.0.orig/lib/cgi/session.rb        2003-07-24 01:44:55.000000000 +0900
+++ ruby-1.8.0/lib/cgi/session.rb       2004-08-19 21:57:23.000000000 +0900
@@ -124,7 +124,7 @@
        begin
          @f = open(path, "r+")
        rescue Errno::ENOENT
- -       @f = open(path, "w+")
+         @f = File.open(path, File::CREAT|File::RDWR, 0600)
        end
       end
  
 
 
the patch ruby-1.8.0-CAN-2004-0755.patch is included with ruby-1.8.0-3.legacy:
 
diff -Naur ruby-1.8.0.ori/lib/cgi/session.rb ruby-1.8.0/lib/cgi/session.rb
- --- ruby-1.8.0.ori/lib/cgi/session.rb   2003-07-23 12:44:55.000000000 -0400
+++ ruby-1.8.0/lib/cgi/session.rb       2004-10-08 20:41:33.000000000 -0400
@@ -124,7 +124,7 @@
        begin
          @f = open(path, "r+")
        rescue Errno::ENOENT
- -         @f = open(path, "w+")
+         @f = File.open(path, File::CREAT|File::RDWR, 0600)
        end
       end
   
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBnlfEtU2XAt1OWnsRAjX7AJ9Wx9+jJJj+upVynr3qZIHmFwaNIwCgw9wa
IxMzWSGRde+kebd76dppcYk=
=ktl/
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst 2004-11-20 16:33:30 ----

Good catch, Rob!  Thanks!  I'll be submitting a new source package forthwith.



------- Additional Comments From deisenst 2004-11-22 00:54:56 ----

Created an attachment (id=930)
CGI Session File Permissions patch [CAN-2004-0755]

This patch, for FC1's ruby-1.8.0, is based upon Red Hat's Fedora Core 2 patch
to ruby-1.8.1 (RH Bugzilla #130063) by Akira Tagoh.  It appears to do a lot
more than secure the session file.  It alters methods in the
CGI::Session::FileStore class to only open the session file when it either
needs to read from it or write to it, instead of the original behavior of
opening it and keeping it open unless explicitly closed with a "session.close".


See the next attachment for a test script to test the behavior of this new
patch.




------- Additional Comments From deisenst 2004-11-22 01:33:48 ----

Created an attachment (id=931)
File permissions test script for CAN-2004-0755

This attachment is a Ruby test script that should test the behavior of Ruby's
CGI::Session::FileStore class.	It is based on a test script that Josh Bressers
of Red Hat wrote (in RH Bugzilla #130065) to do the same thing, but a little
more fleshed out.

To use this script, I do this:
   $  export QUERY_STRING="HELLO=there&A=C&B=D&testing=yes"
   $  export REQUEST_METHOD="GET"
   $  ruby bressers-test-CAN-2004-0755.rb

While running this test script, I get a couple of warnings, but it does seem to
adequately demonstrate file permissions on the session file are being set
correctly.  Unless you uncomment the last line of this Ruby script, you will
need to delete the /tmp/blah_* session file(s) yourself when you're done
testing using this script.



------- Additional Comments From deisenst 2004-11-22 02:22:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package for QA for Fedora Core 1:

 SHA1SUM                                   NAME
 ========================================  ===========================
 39f201e593a314f19aae33cf5fd12371319e6c1b  ruby-1.8.0-4.legacy.src.rpm

http://members.gtw.net/~deisenst/legacy/FC1/SRPMS/ruby-1.8.0-4.legacy.src.rpm

 ===============
Changelog:
* Sat Nov 20 2004 David Eisenstein <deisenst> 1.8.0-4.legacy
- - Redid security fix [CAN-2004-0755]
- - ruby-1.8.0-cgi_session_perms.patch: sets the permission of the session data
  file to 0600. Backport of FC2's patch to 1.8.1. (#2007)
- - Re-enabled make test.

* Wed Nov 17 2004 David Eisenstein <deisenst> 1.8.0-3.legacy
- - security fix [CAN-2004-0983]
- - ruby-1.8.0-cgi-dos.patch: applied to fix a denial of service issue. (#2007)

* Fri Oct  8 2004 Marc Deslauriers <marcdeslauriers> 1.8.0-2.legacy
- - Added security patch for CAN-2004-0755
- - Disabled make test (for some reason, doesn't always work)

Ruby interpreter on my machine works for the sample .rb script files.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBodpLxou1V/j9XZwRAt9fAJwM7w9JTUAysGu6fSgD5cUyTBlh3wCgyz+u
hYvO0C7tbCI9Z23fGpB3c8U=
=LAjJ
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers.edu 2004-11-24 06:24:13 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on david's fc1 package:
39f201e593a314f19aae33cf5fd12371319e6c1b  ruby-1.8.0-4.legacy.src.rpm
 
sha1sum ok
source files ok (compared to ruby-1.8.0-1)
spec file ok
patch for CAN-2004-0983 looks good (renamed from ruby-1.8.0-CAN-2004-0983.patch
to ruby-1.8.0-cgi-dos.patch)
patch for CAN-2004-0755 looks better, passes test script
builds ok (may have to disable make test to build in mach, and one innocuous
file listed twice warning)
cra's rpm-build-compare script looks good
installs ok
runs ok
 
+PUBLISH
  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBpLURtU2XAt1OWnsRAuL5AJ9ZZz9fNgq4lrioFJxdYY+keWAYxQCffzas
Wn7DU+VfnYJyk4z2cKM92eE=
=4jLi
-----END PGP SIGNATURE-----




------- Additional Comments From josh.kayse.edu 2004-12-07 06:15:33 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package:

39f201e593a314f19aae33cf5fd12371319e6c1b  ruby-1.8.0-4.legacy.src.rpm

- - source files identical to previous rls
- - patch files look good
- - spec file looks good, except for file listed twice
- - builds cleanly
- - installs cleanly
- - runs ok

++PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBtdcYwnUFCSDmt7ERAqBSAKClknzXad2VgOyw0CKL27uHjSIhlQCfcjjy
TfLl0eVW3Vu/WKKgUrwXygY=
=S7Vf
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst 2005-01-11 13:01:33 ----

This bug is over 4 1/2 months old.  I've been wondering if anybody is going
to submit new Ruby packages for RH7.3 and RH9 to handle the new CAN-2004-0983
CGI DoS vulnerability as well as to ensure the CGI Session File Permissions
patch, CAN-2004-0755, is complete?

If no one does so, I will try to do so; however, I don't have RH7.3 or RH9
on my machine, so the best I can do is create the packages and let others
test them by compiling and installing in their RH7.3 or RH9 installations for
PUBLISH.

Thoughts?  Comments?   -David



------- Additional Comments From pekkas 2005-01-11 22:00:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here's SRPM for RHL9:
 - I took the patches straight from RHEL3
 - builds, installs, and passes the .rb file test.
 
http://www.netcore.fi/pekkas/linux/ruby-1.6.8-6.1.legacy.src.rpm
 
3e3f51f9c006bb2865cd7246c4bb1e76e5d3f973  ruby-1.6.8-6.1.legacy.src.rpm
 
* Wed Jan 12 2005 Pekka Savola <pekkas> 1.6.8-6.1.legacy
- - fix CAN-2004-0755, CAN-2004-0983 (#2007)
 
...
 
I also already backported the other path (cgidos works as is) for RHL73, but
because I don't have RHL73 system w/ emacs & xemacs, I cannot create a SRPM.
The compilation works though.
 
I added a "return unless @hash" in the patch because that seemed
appropriate, existing in ruby-1.6.8.
 
cf42235a6c5d4ec547293501be74245ae3064a19  ruby-1.6.7-cgi_session_perms.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFB5NjqGHbTkzxSL7QRAiWjAJwLGpH+BQEx9cQovQrov1NjJz3Y6gCeMYQJ
GLeV9akI2dQ0EKCMcm6w2lA=
=l0DM
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-01-11 22:01:42 ----

Oh yes, the patch is available (if someone wants to take it) from the similar
URL as the SRPM.



------- Additional Comments From deisenst 2005-01-20 11:20:20 ----

Re:  ruby-1.6.7 for RHL 7.3:

Marc Deslauriers' ruby-1.6.7-cgi_session_perms.patch for ruby (in comment #3
ruby-1.6.7-3.legacy.src.rpm) looks complete as it is.  The "return
unless @hash" is in the update method of session.rb, like it is in Pekka's
patch in comment 17.  (It is essentially the patch in attachment 930
with the the first hunk yanked out (since ruby-1.6.7 has no pstore.rb),
and the line numbers rejiggered.)

Comment #20 will be a new package with the new ruby-1.6.7-cgi-dos.patch.

RH 7.3 users, Please compile and test the following package!  (If you want,
you can use the test script mentioned in comment 12.)

Thanks!!	-David




------- Additional Comments From deisenst 2005-01-20 11:28:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Updated package for QA for Red Hat Linux 7.3, includes the security patch
for CAN-2004-0983, CGI DoS:

 SHA1SUM                                   NAME
 ========================================  ===========================
 dd7f94038fa094b7ff81fcb72d2086159bb15ad1  ruby-1.6.7-4.legacy.src.rpm

http://members.gtw.net/~deisenst/legacy/RH7.3/SRPMS/ruby-1.6.7-4.legacy.src.rpm

As I don't run RHL 7.3, please test!  Thanks!

 ===============
 Changelog:
 
* Mon Jan 17 2005 David Eisenstein <deisenst> 1.6.7-4.legacy
- - Added security patch for CAN-2004-0983, CGI Denial of Service
  (Fedora Legacy Bugzilla # 2007)

* Fri Oct  8 2004 Marc Deslauriers <marcdeslauriers> 
  1.6.7-3.legacy
- - Added security patch for CAN-2004-0755

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFB8CJ3xou1V/j9XZwRArjkAJ9AubaC1Oxr+YHuuOlmRcztHBxMCwCgjMJZ
XSrwMdh/hPuciG4gMulVo6c=
=NCNE
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-01-20 21:55:32 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
As said, I can't recompile this, but I did the other QA:
 - source integrity OK
 - patches are OK
 - spec file changes OK
 
+PUBLISH
 
dd7f94038fa094b7ff81fcb72d2086159bb15ad1  ruby-1.6.7-4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFB8LVoGHbTkzxSL7QRArPSAKCukVY6f4GJiyu0Hc7WeQab7WNKHACeM1DN
PPpECFJJE28QDWSJmj1jum0=
=lQHv
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7.edu 2005-01-23 13:37:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rebuilt the ruby srpm on rh7.3. Built and installed ok.

sha1sum:
dd7f94038fa094b7ff81fcb72d2086159bb15ad1 *ruby-1.6.7-4.legacy.src.rpm

+PUBLISH

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB9DT7SY7s7uPf/IURAggPAKDUqtl9FVsWvb5FZVDEYGtVoTOv8ACgtKfq
ZTNQqVG3DjOKJ1ntm1xCVE0=
=qvQg
-----END PGP SIGNATURE-----



------- Additional Comments From deisenst 2005-02-06 07:05:08 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


QA for RH9 version of ruby by Pekka Savola in comment 17:

3e3f51f9c006bb2865cd7246c4bb1e76e5d3f973  ruby-1.6.8-6.1.legacy.src.rpm

  - sha1sum OK
  - spec file changes okay
  - patch files look fine
  - patches applied okay
  - built okay (on FC1 system; I don't have mach [yet])
  - did not install packages, since this is RH9.

As I don't have a RH9 environment nor mach, I could not test building
packages on that environment nor installing or running.  That all said,
I vote:

   PUBLISH+  RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCBk3Sxou1V/j9XZwRAi3+AJ9MusHER6Zxls9+PaOGsJzIXgEMrACeJMDK
YbIPk5wzv2rGrvWIgnKqwZk=
=45Jt
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-02-13 08:48:47 ----

Argh...although rh73 and rh9 built fine, I can't build fc1 in mach. There is a
bunch of files missing from ruby-libs after building.



------- Additional Comments From pekkas 2005-02-14 23:18:48 ----

Hmm.  Do you have a build log?  What kind of files are those, could they be
caused by missing buildreqs?



------- Additional Comments From marcdeslauriers 2005-02-15 15:51:32 ----

Found the problem:
missing BuildRequires:  groff bison tcl-devel tk-devel




------- Additional Comments From deisenst 2005-02-18 14:06:34 ----

Pushed to updates-testing today.



------- Additional Comments From pekkas 2005-02-18 21:51:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Basic QA for RHL9 and RHL73:
 - PGP signature OK
 - install went fine
 - ran the bressers ruby exploit test and it worked OK

+VERIFY RHL9,RHL73

3ff73cc2715e1e05b89c793a990d632a6e2d5ebc  ruby-1.6.8-6.2.legacy.i386.rpm
f8c4d14d8bbc90e974824eb355f7031d6d988fbb  ruby-docs-1.6.8-6.2.legacy.i386.rpm
9221938904eb3752f6f662793590d0fd485717a3  ruby-1.6.7-5.legacy.i386.rpm
f57720143f0c3cc0414f35bac468d2a43a4f4ba5  ruby-libs-1.6.7-5.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCFu+xGHbTkzxSL7QRAgdnAJ0Rfx0t5XPMAtK1EGUasa/5tZmBMQCfQAyy
OLTNMFiuhq7fg6WO15PRTBQ=
=Wits
-----END PGP SIGNATURE-----



------- Bug moved to this database by dkl 2005-03-30 18:26 -------

This bug previously known as bug 2007 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2007
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Fixes CAN-2004-0983, CGI DoS
https://bugzilla.fedora.us/attachment.cgi?action=view&id=917
CGI Session File Permissions patch [CAN-2004-0755]
https://bugzilla.fedora.us/attachment.cgi?action=view&id=930
File permissions test script for CAN-2004-0755
https://bugzilla.fedora.us/attachment.cgi?action=view&id=931

Unknown priority P3. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.