Ubuntu
rails package

[CVE-2007-6077] Potential session fixation attack

  1. Gutsy (7.10)
  2. Bug #173203
Bug #173203 reported by William Grant
256
Affects Status Importance Assigned to Milestone
Ruby on Rails
Fix Released
Unknown
rails (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Fix Released
Undecided
William Grant
Hardy
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: rails

The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.

Hardy has 1.2.6, so should be fixed.

CVE References

William Grant (wgrant)
Changed in rails:
status: New → Fix Released
Revision history for this message
William Grant (wgrant) wrote :
Changed in rails:
assignee: nobody → fujitsu
status: New → In Progress
Bug Watch Updater (bug-watch-updater)
Changed in rails:
status: Unknown → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Thanks for preparing this! I've uploaded it to the security queue; it should be published shortly.

Changed in rails:
status: In Progress → Fix Committed
Revision history for this message
William Grant (wgrant) wrote :

rails (1.2.4-1ubuntu1.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Session fixation attack via broken :cookie_only
    attribute. (LP: #173203)
  * debian/patches/20_CVE-2007-6077: Fix broken session fixation catching.
    Patch from upstream bug.
  * References
    CVE-2007-6077

 -- William Grant <email address hidden> Sat, 01 Dec 2007 20:09:54 +1100

Changed in rails:
status: Fix Committed → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in rails:
status: New → Won't Fix
Revision history for this message
LumpyCustard (orangelumpycustard) wrote :

Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs.

Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in rails:
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in rails (Ubuntu Dapper):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.