Bug 895277 (CVE-2012-6109)
Summary: | CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | athomas, bkabrda, bkearney, bleanhar, cpelland, dajohnso, esammons, iboverma, jeckersb, jialiu, jrusnack, katello-bugs, katello-internal, lmeyer, mcressma, mfisher, mmccune, mmcgrath, mmorsi, morazi, mrg-program-list, msuchy, sclewis, vanmeeuwen+fedora, vondruch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-11-24 16:25:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 771152, 895285, 895397, 895398, 895400, 895401, 995680, 1165360 | ||
Bug Blocks: | 892883, 895284, 906653 |
Description
Vincent Danen
2013-01-14 23:48:12 UTC
Created rubygem-rack tracking bugs for this issue Affects: fedora-all [bug 895285] Created rubygem-rack tracking bugs for this issue Affects: epel-all [bug 771152] This bug now refers only to: Upstream released [1] Rack 1.4.2, 1.3.7, 1.2.6, and 1.1.4 to fix a denial of service condition when Rack parses content with a certain Content-Disposition header as noted in the original report [2]. This has been fixed in git [3]. [1] http://rack.github.com/ [2] https://groups.google.com/forum/#!msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ [3] https://github.com/rack/rack/commit/4fc44671b3cad569421f4f8b775c0590b86f575e The second flaw was split into bz 895384 This is the correct patch for rack-1.3: https://github.com/rack/rack/commit/c9f65df37a151821eb88ddd1dc404b83e52c52d5 rubygem-rack-1.3.0-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. rubygem-rack-1.4.0-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. rubygem-rack-1.4.0-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: CloudForms for RHEL 6 Via RHSA-2013:0548 https://rhn.redhat.com/errata/RHSA-2013-0548.html This issue has been addressed in following products: Red Hat Subscription Asset Manager 1.2 Via RHSA-2013:0544 https://rhn.redhat.com/errata/RHSA-2013-0544.html |