Debian Security Advisory DSA 537-1 security@
debian.org
http://www.debian.org/security/ Martin Schulze
August 16th, 2004
http://www.debian.org/security/faq
Package :
ruby
Vulnerability : insecure file permissions
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0755
Debian Bug : 260779
Andres Salomon no ticed a problem in the
CGI session management of
Ruby, an object-oriented scripting language.
CGI::Session's FileStore
(and presumably PStore, but not in
Debian woody) implementations store
session information insecurely. They simply create files, ignoring
permission issues. This can lead an attacker who has also shell
access to the webserver to take over a session.
For the stable distribution (woody) this problem has been fixed in
version 1.6.7-3woody3.
For the unstable and testing distributions (sarge and sid) this
problem has been fixed in version 1.8.1+1.8.2pre1-4.
We recommend that you upgrade your libruby package.