Gentoo FoundationMGASA-2015-0227Updated ruby-rest-client packages fix security vulnerabilities
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
79.3%
Updated ruby-rest-client packages fix security vulnerability: When Ruby rest-client processes an HTTP redirection response, it blindly passes along the values from any Set-Cookie headers to the redirection target, regardless of domain, path, or expiration. This can be used in a session fixation attack or in stealing cookies (CVE-2015-1820). REST Client for Ruby contains a flaw that is due to the application logging password information in plaintext. This may allow a local attacker to gain access to password information (CVE-2015-3448). The ruby-rest-client package has been updated to version 1.8.0, fixing these issues and several other bugs. Refer to the upstream changelog for more details.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Mageia | 4 | noarch | ruby-rest-client | < 1.8.0-2 | ruby-rest-client-1.8.0-2.mga4 |
| Mageia | 4 | noarch | ruby-netrc | < 0.10.3-1 | ruby-netrc-0.10.3-1.mga4 |
| Mageia | 4 | noarch | ruby-http-cookie | < 1.0.2-1 | ruby-http-cookie-1.0.2-1.mga4 |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
79.3%