Bug 522162 (CVE-2009-3086) - CVE-2009-3086 rubygem-actionpack: Message digest forgery
Summary: CVE-2009-3086 rubygem-actionpack: Message digest forgery
Alias: CVE-2009-3086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://weblog.rubyonrails.org/2009/9/...
Depends On: 538231 538232 961066
TreeView+ depends on / blocked
Reported: 2009-09-09 15:57 UTC by Jan Lieskovsky
Modified: 2021-03-26 16:28 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-05-08 17:45:09 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2009-09-09 15:57:18 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3086 to
the following vulnerability:

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x
before 2.3.4, leaks information about the complexity of message-digest
signature verification in the cookie store, which might allow remote
attackers to forge a digest via multiple attempts.


Upstream patches:

Comment 1 Jan Lieskovsky 2009-09-09 16:02:01 UTC
This issue affects the version of rubygem-actionpack, as shipped 
with Fedora release of 10 (and potentially also with 11 -- didn't check).

Please fix.

Comment 3 Jeroen van Meeuwen 2010-04-30 12:34:26 UTC
I've submitted a build of 2.1.1 with the 2.2.x patch applied for review, I'll submit it to epel-5-updates stable or testing depending on today's feedback;


Comment 4 Vincent Danen 2011-06-14 19:58:26 UTC
It doesn't look like rubygem-actionpack-2.1.1-6.el5 was ever submitted to EPEL5; when I look for the latest release version I see -5.el5.  Do you still intend to submit that fix?

Comment 5 Vincent Danen 2013-05-08 17:43:00 UTC
Created rubygem-actionpack tracking bugs for this issue

Affects: epel-5 [bug 961066]

Comment 6 Vincent Danen 2013-05-08 17:45:09 UTC
Tracking bug filed for EPEL5 so this can be followed up there; no need to keep this open when it's fixed everywhere else for the last three years.

Note You need to log in before you can comment on or make changes to this bug.