984130 – (CVE-2016-4442) VUL-0: CVE-2016-4442: rubygem-rack-mini-profiler: Ruby gem rack-mini-profiler

Bug 984130 (CVE-2016-4442) - VUL-0: CVE-2016-4442: rubygem-rack-mini-profiler: Ruby gem rack-mini-profiler

Summary: VUL-0: CVE-2016-4442: rubygem-rack-mini-profiler: Ruby gem rack-mini-profiler

Status:	RESOLVED FIXED

Alias:	CVE-2016-4442

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/169974/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-10 10:01 UTC by Marcus Meissner
Modified:	2020-05-18 15:46 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-10 10:01:52 UTC

CVE-2016-4442

Description: Carefully crafted requests can expose information about
strings and objects allocated during the request for unauthorised
users.

Fixed in: https://github.com/MiniProfiler/rack-mini-profiler/commit/4273771d65f1a7411e3ef5843329308d0e2d257c

Released public fix in version: 0.10.


References:
http://seclists.org/oss-sec/2016/q2/516

Comment 1 Marcus Meissner 2016-06-10 10:03:27 UTC

we are not shipping this, but it seems to be prewsent in the build projects

SUSE:SLE-11-SP3:Update:Cloud5:Test      rubygem-rack-mini-profiler
SUSE:SLE-12-SP1:Update:Products:Cloud6  rubygem-rack-mini-profiler
SUSE:SLE-12-SP2:Update:Products:Cloud7  rubygem-rack-mini-profiler

(bundled? or not used?)

Comment 2 Swamp Workflow Management 2016-06-10 22:00:51 UTC

bugbot adjusting priority

Comment 3 Rick Salevsky 2016-06-10 22:59:07 UTC

It's not used in production and needs to be explicitly enabled. Nevertheless I will update it in the build project.

Comment 4 Swamp Workflow Management 2016-07-27 15:12:06 UTC

SUSE-RU-2016:1883-1: An update that has 23 recommended fixes can now be installed.

Category: recommended (important)
Bug References: 845602,954911,954963,955810,958716,964663,966419,966424,966489,967423,967785,967811,967848,967911,968251,968436,972527,976048,978058,984130,986672,988021,988216
CVE References: 
Sources used:
SUSE OpenStack Cloud 6 (src):    crowbar-3.0+git.1461244880.94e4bf8-8.1, crowbar-core-3.0+git.1468227775.980a42a-5.2, crowbar-core-branding-SOC-3.0-11.7
SUSE Enterprise Storage 2.1 (src):    crowbar-3.0+git.1461244880.94e4bf8-8.1

Comment 5 Keith Berger 2020-05-18 15:45:47 UTC

i think this is resolved, please verify and close

Comment 6 Alexandros Toptsoglou 2020-05-18 15:46:22 UTC

Done