• DSA 537-1 New Ruby packages fix insecure CGI session management

-









































































Debian Security Advisory DSA 537-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
August 16th, 2004                       http://www.debian.org/security/faq



















































































































































-









































































Package        : ruby
Vulnerability  : insecure file permissions
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2004-0755
Debian Bug     : 260779

Andres Salomon no ticed a problem in the CGI session management of
Ruby, an object-oriented scripting language.  CGI::Session's FileStore
(and presumably PStore, but not in Debian woody) implementations store
session information insecurely.  They simply create files, ignoring
permission issues.  This can lead an attacker who has also shell
access to the webserver to take over a session.

For the stable distribution (woody) this problem has been fixed in
version 1.6.7-3woody3.

For the unstable and testing distributions (sarge and sid) this
problem has been fixed in version 1.8.1+1.8.2pre1-4.

We recommend that you upgrade your libruby package.