Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6612 to the following vulnerability: Directory traversal vulnerability in DirHandler (lib/mongrel/handlers.rb) in Mongrel 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to read arbitrary files via an HTTP request containing double-encoded sequences (".%252e"). References: http://rubyforge.org/pipermail/mongrel-users/2007-December/004733.html http://rubyforge.org/pipermail/mongrel-users/2007-December/004736.html http://rubyforge.org/pipermail/mongrel-users/2007-December/004742.html http://rubyforge.org/pipermail/mongrel-users/2007-December/004743.html http://mongrel.rubyforge.org/news.html
As this bug was introduced in 1.0.4 (1.0.3 and earlier are not susceptible), the current fedora package (which is at 1.0.1) is not vulnerable. I will upgrade the packages to 1.0.5 or 1.1.3 when I get the chance, though,
Thanks Scott for clarification. As versions shipped in Fedora are not affected by this issue, we will not be tracking this as security issue and I'm closing this bug. If you decide to update to newer version in Fedora, please submit such update as enhancement, unless some other (future) security issue will be addressed there.