[DRE-maint] Bug#959392: ruby-faye: CVE-2020-11020

Salvatore Bonaccorso carnil at debian.org
Fri May 1 21:19:25 BST 2020


Source: ruby-faye
Version: 1.2.4-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerability was published for ruby-faye.

CVE-2020-11020[0]:
| Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4,
| 1.1.3 and 1.2.5, has the potential for authentication bypass in the
| extension system. The vulnerability allows any client to bypass checks
| put in place by server-side extensions, by appending extra segments to
| the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-11020
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11020
[1] https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5
[2] https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e

Regards,
Salvatore



More information about the Pkg-ruby-extras-maintainers mailing list