A flaw was found in HTTP digest authentication code in Ruby on Rails. This could allow remote attackers to bypass authentication by providing non-existent user name and nil / empty password. Detailed description, also with workaround: http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s Upstream patch: http://github.com/rails/rails/commit/056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489 Support for HTTP digest authentication was only introduced in version 2.3, so only F11/Rawhide should be affected by this problem. Older version 2.1.1 currently in F9, F10 and EPEL5 does not contain affected code.
CVE-2009-2422: The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
Fedora 12 currently contains 2.3.4, so this only affects Fedora 11 still.
If this effects only F11, please consider to close it as it is already EOL ?