Bug 472510 - (CVE-2008-5189) CVE-2008-5189 rubygems-actionpack: redirect HTTP header injection vulnerability
CVE-2008-5189 rubygems-actionpack: redirect HTTP header injection vulnerability
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Jeroen van Meeuwen
Fedora Extras Quality Assurance
reported=20081119, public=20081014,so...
: Security
Depends On:
  Show dependency treegraph
Reported: 2008-11-21 05:27 EST by Jan Lieskovsky
Modified: 2009-03-17 23:26 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-03-17 23:26:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-11-21 05:27:08 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5189 to
the following vulnerability:

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via a crafted URL to the redirect_to


Note: The "offet-limit-sanitization" issue was originally reported as CVE-2008-4094 and we already fixed it in all related packages. Please see


for more details.
Comment 1 Robert Scheck 2008-11-21 06:04:23 EST
If I read correct, the 2.0.x, 2.1.x and 2.2.x series are affected - which means
ALL Fedora and EPEL branches - right?
Comment 2 Jan Lieskovsky 2008-11-21 07:37:45 EST
Yes, this issue affects all versions of the rubygem-actionpack package,
as shipped within the Fedora release of 8, 9, 10 and as shipped within
the EPEL project.
Comment 3 Tomas Hoger 2009-01-09 04:03:19 EST
According to:

This issue was fixed upstream in 2.1.2.

Alternatively, following patch can be used:

2.1.1 seems to be the current version in both all stable Fedora versions and EPEL5.
Comment 4 Tomas Hoger 2009-02-26 11:34:29 EST
rubygem-actionpack packages 2.2.2 currently in Rawhide have the sanitisation patch included.
Comment 5 Jeroen van Meeuwen 2009-02-27 10:56:48 EST
I'm checking in rubygem-actionpack 2.1.1-2 in F-10, F-9 and EL-5 right now
Comment 6 Fedora Update System 2009-02-27 11:19:48 EST
rubygem-actionpack-2.1.1-2.fc10 has been submitted as an update for Fedora 10.
Comment 7 Fedora Update System 2009-02-27 11:19:54 EST
rubygem-actionpack-2.1.1-2.fc9 has been submitted as an update for Fedora 9.
Comment 8 Fedora Update System 2009-02-27 22:22:15 EST
rubygem-actionpack-2.1.1-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-02-27 22:26:31 EST
rubygem-actionpack-2.1.1-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Jeroen van Meeuwen 2009-03-17 23:26:51 EDT
This bug should have been closed already... bodhi!!

Note You need to log in before you can comment on or make changes to this bug.