Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5189 to the following vulnerability: CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5189 http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk http://www.securityfocus.com/bid/32359 Note: The "offet-limit-sanitization" issue was originally reported as CVE-2008-4094 and we already fixed it in all related packages. Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-4094 for more details.
If I read correct, the 2.0.x, 2.1.x and 2.2.x series are affected - which means ALL Fedora and EPEL branches - right?
Yes, this issue affects all versions of the rubygem-actionpack package, as shipped within the Fedora release of 8, 9, 10 and as shipped within the EPEL project.
According to: http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing This issue was fixed upstream in 2.1.2. Alternatively, following patch can be used: http://weblog.rubyonrails.org/assets/2008/10/19/2.1.x.redirect_to_sanitisation.diff 2.1.1 seems to be the current version in both all stable Fedora versions and EPEL5.
rubygem-actionpack packages 2.2.2 currently in Rawhide have the sanitisation patch included.
I'm checking in rubygem-actionpack 2.1.1-2 in F-10, F-9 and EL-5 right now
rubygem-actionpack-2.1.1-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-2.fc10
rubygem-actionpack-2.1.1-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-2.fc9
rubygem-actionpack-2.1.1-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-2.1.1-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This bug should have been closed already... bodhi!!