[meego-commits] 6007: Changes to MeeGo:1.0:Core:Update:Testing/ruby
Jian-feng Ding
jian-feng.ding at intel.com
Tue Jul 27 10:29:43 UTC 2010
Hi,
I have made the following changes to ruby in project MeeGo:1.0:Core:Update:Testing. Please review and accept ASAP.
Thank You,
Jian-feng Ding
[This message was auto-generated]
---
Request #6007:
submit: home:jfding:branches:MeeGo:1.0:Core:Update:Testing/ruby(r3)(cleanup) -> MeeGo:1.0:Core:Update:Testing/ruby
Message:
Add patch to fix CVE-2010-0541: WEBRrick vulnerability (BMC#3357)
State: new 2010-07-26T22:22:59 jfding
Comment: None
changes files:
--------------
--- ruby.changes
+++ ruby.changes
@@ -0,0 +1,3 @@
+* Wed Jul 07 2010 Jian-feng Ding <jian-feng.ding at intel.com> 1.8.6.399
+- Add patch to fix CVE-2010-0541: WEBRrick vulnerability (BMC#3357)
+
new:
----
ruby-1.8.6-webrick-CVE-2010-0541.patch
spec files:
-----------
--- ruby.spec
+++ ruby.spec
@@ -48,6 +48,7 @@
# Patch32 from ruby_1_8 branch
Patch32: ruby-1.8head-irb-save-history.patch
Patch33: ruby-1.8.6-p383-mkmf-use-shared.patch
+Patch34: ruby-1.8.6-webrick-CVE-2010-0541.patch
Summary: An interpreter of object-oriented scripting language
Group: Development/Languages
@@ -179,6 +180,7 @@
%patch31 -p1
%patch32 -p0
%patch33 -p1
+%patch34 -p1
popd
%build
other changes:
--------------
++++++ ruby-1.8.6-webrick-CVE-2010-0541.patch (new)
--- ruby-1.8.6-webrick-CVE-2010-0541.patch
+++ ruby-1.8.6-webrick-CVE-2010-0541.patch
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0541
+
+Impact: A remote attacker may gain access to accounts served by Ruby
+WEBrick
+
+Description: A cross-site scripting issue exists in the Ruby WEBrick
+HTTP server's handling of error pages. Accessing a maliciously
+crafted URL in certain web browsers may cause the error page to be
+treated as UTF-7, allowing JavaScript injection. This update
+addresses the issue by setting UTF-8 as the default character set in
+HTTP error responses.
+
+Credit: Apple.
+
+Suggested patch from Apple (Modified by jian-feng.ding at intel.com):
+
+diff -rupN ruby-1.8.6-p399.orig/lib/webrick/httpresponse.rb ruby-1.8.6-p399/lib/webrick/httpresponse.rb
+--- ruby-1.8.6-p399.orig/lib/webrick/httpresponse.rb 2010-01-10 23:18:04.000000000 +0800
++++ ruby-1.8.6-p399/lib/webrick/httpresponse.rb 2010-07-07 18:11:42.139097872 +0800
+@@ -209,7 +209,7 @@ module WEBrick
+ @keep_alive = false
+ self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR
+ end
+- @header['content-type'] = "text/html"
++ @header['content-type'] = "text/html; charset=utf-8"
+
+ if respond_to?(:create_error_page)
+ create_error_page()
More information about the MeeGo-commits
mailing list