Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3086 to the following vulnerability: A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086 http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails http://www.vupen.com/english/advisories/2009/2544 Upstream patches: ----------------- http://weblog.rubyonrails.org/assets/2009/9/4/2-2-timing-weakness.patch http://weblog.rubyonrails.org/assets/2009/9/4/2-3-timing-weakness.patch
This issue affects the version of rubygem-actionpack, as shipped with Fedora release of 10 (and potentially also with 11 -- didn't check). Please fix.
I've submitted a build of 2.1.1 with the 2.2.x patch applied for review, I'll submit it to epel-5-updates stable or testing depending on today's feedback; http://koji.fedoraproject.org/koji/taskinfo?taskID=2148375
It doesn't look like rubygem-actionpack-2.1.1-6.el5 was ever submitted to EPEL5; when I look for the latest release version I see -5.el5. Do you still intend to submit that fix?
Created rubygem-actionpack tracking bugs for this issue Affects: epel-5 [bug 961066]
Tracking bug filed for EPEL5 so this can be followed up there; no need to keep this open when it's fixed everywhere else for the last three years.