[DRE-maint] Bug#963477: ruby-rack: CVE-2020-8184
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 1 20:32:26 GMT 2021
Control: severity -1 grave
Cc'ing Utkarsh as one of the last uploaders.
On Mon, Jun 22, 2020 at 09:02:13AM +0200, Salvatore Bonaccorso wrote:
> Source: ruby-rack
> Version: 2.1.1-5
> Severity: important
> Tags: security upstream
>
> Hi,
>
> The following vulnerability was published for ruby-rack.
>
> CVE-2020-8184[0]:
> | A reliance on cookies without validation/integrity check security
> | vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it
> | is possible for an attacker to forge a secure or host-only cookie
> | prefix.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2020-8184
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8184
>
> Please adjust the affected versions in the BTS as needed.
While strictly speaking this issue is no-dsa for buster, I'm raising
the severity to RC, would it be possible to address this issue for
unstable (and so bullseye) before the freeze?
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list