Rack (rubygem-rack) versions before 2.0.6 are vulnerable to a cross-site scripting (XSS) flaw via the `scheme` method on `Rack::Request`. External Reference: https://groups.google.com/d/msg/rubyonrails-security/GKsAFT924Ag/DYtk-Xl6AAAJ
Created rubygem-rack tracking bugs for this issue: Affects: epel-all [bug 1646820] Affects: fedora-all [bug 1646819]
Red Hat OpenStack Platform and OpenShift Enterprise are not affected. Whilst the version of rack in use as a dependency in optional components is vulnerable, the vulnerable variable is not used in a way that could lead to XSS.
Upstream patches: - https://github.com/rack/rack/commit/313dd6a05a5924ed6c82072299c53fed09e39ae7 (for 2.0-stable branch) - https://github.com/rack/rack/commit/97ca63d87d88b4088fb1995b14103d4fe6a5e594 (for 1.6-stable branch)
Statement: Red Hat OpenStack Platform and OpenShift Enterprise are not affected. Whilst the version of rack in use as a dependency in optional components is vulnerable, the vulnerable variable is not used in a way that could lead to XSS. Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact Moderate, and is not currently planned to be addressed in future updates. Red Hat CloudForms and Satellite 6 are not affected. Whilst the version of rack in use as a dependency in optional components is vulnerable, the vulnerable variable is not used in a way that could lead to XSS.