Bug 869162 (CVE-2014-2538) - VUL-0: CVE-2014-2538: rubygem-rack-ssl: XSS in error page
Summary: VUL-0: CVE-2014-2538: rubygem-rack-ssl: XSS in error page
Status: RESOLVED FIXED
Alias: CVE-2014-2538
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-04-18
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp2:56907 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-19 13:03 UTC by Marcus Meissner
Modified: 2014-06-04 19:05 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch for the src (397 bytes, patch)
2014-03-20 10:01 UTC, Jordi Massaguer 		Details | Diff
patch for the test suite (605 bytes, patch)
2014-03-20 10:04 UTC, Jordi Massaguer 		Details | Diff
patch for the src (933 bytes, patch)
2014-04-02 11:43 UTC, Jordi Massaguer 		Details | Diff
patch for the test suite (675 bytes, patch)
2014-04-02 11:43 UTC, Jordi Massaguer 		Details | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-19 13:03:42 UTC 
via Jordi

latest version of rack-ssl rubygem (1.4.0) contains a commit that fixes a
XSS vulnerability.

https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b


Some adapters (i.e. jruby-rack) will pass through bad URIs, then display
the resulting exception. This creates an attack vector for XSS attacks.
Comment 1 Marcus Meissner 2014-03-19 20:12:03 UTC 
CVE-2014-2538
Comment 2 Swamp Workflow Management 2014-03-19 23:00:34 UTC 
bugbot adjusting priority
Comment 3 Jordi Massaguer 2014-03-20 10:01:02 UTC 
Created attachment 582940 [details]
patch for the src
Comment 4 Jordi Massaguer 2014-03-20 10:04:44 UTC 
Created attachment 582942 [details]
patch for the test suite
Comment 8 Jordi Massaguer 2014-04-02 11:41:55 UTC 
The previous patches were not working with previous versions of rack (see comments in https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b#commitcomment-5880103)

However, latest version of rack-ssl has removed the URI parsing, which is another way to fix it:

https://github.com/josh/rack-ssl/commit/9ff3adfe653025f383ff4fcc0f0d12b85ede20c1

I am attaching the new patch.
Comment 9 Jordi Massaguer 2014-04-02 11:43:19 UTC 
Created attachment 584732 [details]
patch for the src
Comment 10 Jordi Massaguer 2014-04-02 11:43:52 UTC 
Created attachment 584733 [details]
patch for the test suite
Comment 11 Bernhard Wiedemann 2014-04-02 15:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (869162) was mentioned in
https://build.opensuse.org/request/show/228766 12.3 / rubygem-rack-ssl
https://build.opensuse.org/request/show/228767 13.1 / rubygem-rack-ssl
Comment 14 Swamp Workflow Management 2014-04-04 07:23:52 UTC 
The SWAMPID for this issue is 56906.
This issue was rated as moderate.
Please submit fixed packages until 2014-04-18.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 16 Swamp Workflow Management 2014-04-11 14:04:49 UTC 
openSUSE-SU-2014:0515-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 869162
CVE References: CVE-2014-2538
Sources used:
openSUSE 13.1 (src):    rubygem-rack-ssl-1.3.3-2.4.1
openSUSE 12.3 (src):    rubygem-rack-ssl-1.3.2-6.4.1
Comment 17 Swamp Workflow Management 2014-05-28 21:47:48 UTC 
Update released for: rubygem-rack-ssl, rubygem-rack-ssl-doc
Products:
SLE-SLMS 1.3 (x86_64)
SLE-STUDIOONSITE 1.3 (x86_64)
SLE-WEBYAST 1.3 (i386, ia64, ppc64, s390x, x86_64)
Comment 18 Swamp Workflow Management 2014-05-29 01:05:23 UTC 
SUSE-SU-2014:0730-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 869162
CVE References: CVE-2014-2538
Sources used:
WebYaST 1.3 (src):    rubygem-rack-ssl-1.3.2-0.12.5.1
SUSE Studio Onsite 1.3 (src):    rubygem-rack-ssl-1.3.2-0.12.5.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-rack-ssl-1.3.2-0.12.5.1
Comment 19 Marcus Meissner 2014-05-29 07:00:57 UTC 
released
Comment 20 Swamp Workflow Management 2014-06-04 15:52:56 UTC 
Update released for: rubygem-rack-ssl, rubygem-rack-ssl-doc
Products:
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 21 Swamp Workflow Management 2014-06-04 19:05:19 UTC 
SUSE-SU-2014:0730-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 869162
CVE References: CVE-2014-2538
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    rubygem-rack-ssl-1.3.2-0.12.5.1