ID OPENVAS:1361412562310865248 Type openvas Reporter Copyright (c) 2013 Greenbone Networks GmbH Modified 2019-03-15T00:00:00
Description
The remote host is missing an update for the
###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for rubygem-rack FEDORA-2013-0896
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_xref(name:"URL", value:"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097501.html");
script_oid("1.3.6.1.4.1.25623.1.0.865248");
script_version("$Revision: 14223 $");
script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
script_tag(name:"creation_date", value:"2013-01-28 09:34:05 +0530 (Mon, 28 Jan 2013)");
script_cve_id("CVE-2011-6109", "CVE-2013-0183", "CVE-2013-0184",
"CVE-2011-5036", "CVE-2012-6109");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_xref(name:"FEDORA", value:"2013-0896");
script_name("Fedora Update for rubygem-rack FEDORA-2013-0896");
script_tag(name:"summary", value:"The remote host is missing an update for the 'rubygem-rack'
package(s) announced via the referenced advisory.");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2013 Greenbone Networks GmbH");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC16");
script_tag(name:"affected", value:"rubygem-rack on Fedora 16");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
if(release == "FC16")
{
if ((res = isrpmvuln(pkg:"rubygem-rack", rpm:"rubygem-rack~1.3.0~3.fc16", rls:"FC16")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
{"id": "OPENVAS:1361412562310865248", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for rubygem-rack FEDORA-2013-0896", "description": "The remote host is missing an update for the ", "published": "2013-01-28T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865248", "reporter": "Copyright (c) 2013 Greenbone Networks GmbH", "references": ["2013-0896", "http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097501.html"], "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184"], "lastseen": "2019-05-29T18:38:07", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:865604", "OPENVAS:865607", "OPENVAS:865243", "OPENVAS:892783", "OPENVAS:1361412562310865243", "OPENVAS:1361412562310865250", "OPENVAS:1361412562310865604", "OPENVAS:1361412562310892783", "OPENVAS:865250", "OPENVAS:865248"]}, {"type": "cve", "idList": ["CVE-2013-0184", "CVE-2013-0183", "CVE-2013-0896", "CVE-2011-5036", "CVE-2012-6109"]}, {"type": "nessus", "idList": ["FEDORA_2012-0233.NASL", "GENTOO_GLSA-201203-05.NASL", "REDHAT-RHSA-2013-0544.NASL", "FEDORA_2012-0166.NASL", "DEBIAN_DSA-2783.NASL", "GENTOO_GLSA-201405-10.NASL", "OPENSUSE-2013-152.NASL", "FEDORA_2013-0861.NASL", "FEDORA_2013-0896.NASL", "FEDORA_2013-0837.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29957", "SECURITYVULNS:VULN:13370"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2783-2:41A1A", "DEBIAN:DSA-2783-1:70ED3"]}, {"type": "gentoo", "idList": ["GLSA-201405-10", "GLSA-201203-05"]}, {"type": "redhat", "idList": ["RHSA-2013:0896", "RHSA-2013:0544"]}, {"type": "suse", "idList": ["SUSE-SU-2013:0508-1"]}, {"type": "github", "idList": ["GHSA-H77X-M5Q8-C29H", "GHSA-3PXH-H8HW-MJ8W"]}, {"type": "freebsd", "idList": ["91BE81E7-3FEA-11E1-AFC7-2C4138874F7D"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-0896"]}], "modified": "2019-05-29T18:38:07", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2019-05-29T18:38:07", "rev": 2}, "vulnersScore": 6.9}, "pluginID": "1361412562310865248", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-0896\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097501.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865248\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-28 09:34:05 +0530 (Mon, 28 Jan 2013)\");\n script_cve_id(\"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\",\n \"CVE-2011-5036\", \"CVE-2012-6109\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"FEDORA\", value:\"2013-0896\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-0896\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-rack'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"rubygem-rack on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.3.0~3.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks"}
{"openvas": [{"lastseen": "2018-01-26T11:09:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184"], "description": "Check for the Version of rubygem-rack", "modified": "2018-01-26T00:00:00", "published": "2013-01-28T00:00:00", "id": "OPENVAS:865248", "href": "http://plugins.openvas.org/nasl.php?oid=865248", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-0896", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-0896\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rubygem-rack on Fedora 16\";\ntag_insight = \"Rack provides a common API for connecting web frameworks,\n web servers and layers of software in between\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097501.html\");\n script_id(865248);\n script_version(\"$Revision: 8542 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-26 07:57:28 +0100 (Fri, 26 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-28 09:34:05 +0530 (Mon, 28 Jan 2013)\");\n script_cve_id(\"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\",\n \"CVE-2011-5036\", \"CVE-2012-6109\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2013-0896\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-0896\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of rubygem-rack\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.3.0~3.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:38:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-01-28T00:00:00", "id": "OPENVAS:1361412562310865243", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865243", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-0837", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-0837\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097518.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865243\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-28 09:33:40 +0530 (Mon, 28 Jan 2013)\");\n script_cve_id(\"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2012-6109\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2013-0837\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-0837\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-rack'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n script_tag(name:\"affected\", value:\"rubygem-rack on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~4.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2018-01-18T11:09:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "Check for the Version of rubygem-rack", "modified": "2018-01-18T00:00:00", "published": "2013-01-28T00:00:00", "id": "OPENVAS:865243", "href": "http://plugins.openvas.org/nasl.php?oid=865243", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-0837", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-0837\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rubygem-rack on Fedora 18\";\ntag_insight = \"Rack provides a common API for connecting web frameworks,\n web servers and layers of software in between\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097518.html\");\n script_id(865243);\n script_version(\"$Revision: 8456 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-18 07:58:40 +0100 (Thu, 18 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-28 09:33:40 +0530 (Mon, 28 Jan 2013)\");\n script_cve_id(\"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2012-6109\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2013-0837\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-0837\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of rubygem-rack\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~4.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:51:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "Check for the Version of rubygem-rack", "modified": "2017-07-10T00:00:00", "published": "2013-01-28T00:00:00", "id": "OPENVAS:865250", "href": "http://plugins.openvas.org/nasl.php?oid=865250", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-0861", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-0861\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rubygem-rack on Fedora 17\";\ntag_insight = \"Rack provides a common API for connecting web frameworks,\n web servers and layers of software in between\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097523.html\");\n script_id(865250);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-28 09:34:23 +0530 (Mon, 28 Jan 2013)\");\n script_cve_id(\"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2012-6109\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2013-0861\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-0861\");\n\n script_summary(\"Check for the Version of rubygem-rack\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~3.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:37:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-01-28T00:00:00", "id": "OPENVAS:1361412562310865250", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865250", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-0861", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-0861\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097523.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865250\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-28 09:34:23 +0530 (Mon, 28 Jan 2013)\");\n script_cve_id(\"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2012-6109\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2013-0861\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-0861\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-rack'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"rubygem-rack on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~3.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-10-30T10:50:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilities and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036 \nRack computes hash values for form parameters without restricting\nthe ability to trigger hash collisions predictably, which allows\nremote attackers to cause a denial of service (CPU consumption)\nby sending many crafted parameters.\n\nCVE-2013-0183 \nA remote attacker could cause a denial of service (memory\nconsumption and out-of-memory error) via a long string in a\nMultipart HTTP packet.\n\nCVE-2013-0184 \nA vulnerability in Rack::Auth::AbstractRequest allows remote\nattackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263 \nRack::Session::Cookie allows remote attackers to guess the\nsession cookie, gain privileges, and execute arbitrary code via a\ntiming attack involving an HMAC comparison function that does not\nrun in constant time.", "modified": "2017-10-26T00:00:00", "published": "2013-10-21T00:00:00", "id": "OPENVAS:892783", "href": "http://plugins.openvas.org/nasl.php?oid=892783", "type": "openvas", "title": "Debian Security Advisory DSA 2783-1 (librack-ruby - several vulnerabilities)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2783.nasl 7585 2017-10-26 15:03:01Z cfischer $\n# Auto-generated from advisory DSA 2783-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"librack-ruby on Debian Linux\";\ntag_insight = \"Rack provides a minimal, modular and adaptable interface for\ndeveloping web applications in Ruby. By wrapping HTTP requests and\nresponses in the simplest way possible, it unifies and distills the\nAPI for web servers, web frameworks, and software in between (the\nso-called middleware) into a single method call.\";\ntag_solution = \"For the oldstable distribution (squeeze), these problems have been fixed in\nversion 1.1.0-4+squeeze1.\n\nThe stable, testing and unstable distributions do not contain the\nlibrack-ruby package. They have already been addressed in version\n1.4.1-2.1 of the ruby-rack package.\n\nWe recommend that you upgrade your librack-ruby packages.\";\ntag_summary = \"Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilities and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036 \nRack computes hash values for form parameters without restricting\nthe ability to trigger hash collisions predictably, which allows\nremote attackers to cause a denial of service (CPU consumption)\nby sending many crafted parameters.\n\nCVE-2013-0183 \nA remote attacker could cause a denial of service (memory\nconsumption and out-of-memory error) via a long string in a\nMultipart HTTP packet.\n\nCVE-2013-0184 \nA vulnerability in Rack::Auth::AbstractRequest allows remote\nattackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263 \nRack::Session::Cookie allows remote attackers to guess the\nsession cookie, gain privileges, and execute arbitrary code via a\ntiming attack involving an HMAC comparison function that does not\nrun in constant time.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(892783);\n script_version(\"$Revision: 7585 $\");\n script_cve_id(\"CVE-2011-5036\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2013-0263\");\n script_name(\"Debian Security Advisory DSA 2783-1 (librack-ruby - several vulnerabilities)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-10-26 17:03:01 +0200 (Thu, 26 Oct 2017) $\");\n script_tag(name: \"creation_date\", value:\"2013-10-21 00:00:00 +0200 (Mon, 21 Oct 2013)\");\n script_tag(name: \"cvss_base\", value:\"5.1\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2783.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"librack-ruby\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"librack-ruby1.8\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"librack-ruby1.9.1\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:37:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilities and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036\nRack computes hash values for form parameters without restricting\nthe ability to trigger hash collisions predictably, which allows\nremote attackers to cause a denial of service (CPU consumption)\nby sending many crafted parameters.\n\nCVE-2013-0183\nA remote attacker could cause a denial of service (memory\nconsumption and out-of-memory error) via a long string in a\nMultipart HTTP packet.\n\nCVE-2013-0184\nA vulnerability in Rack::Auth::AbstractRequest allows remote\nattackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263\nRack::Session::Cookie allows remote attackers to guess the\nsession cookie, gain privileges, and execute arbitrary code via a\ntiming attack involving an HMAC comparison function that does not\nrun in constant time.", "modified": "2019-03-18T00:00:00", "published": "2013-10-21T00:00:00", "id": "OPENVAS:1361412562310892783", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892783", "type": "openvas", "title": "Debian Security Advisory DSA 2783-1 (librack-ruby - several vulnerabilities)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2783.nasl 14276 2019-03-18 14:43:56Z cfischer $\n# Auto-generated from advisory DSA 2783-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892783\");\n script_version(\"$Revision: 14276 $\");\n script_cve_id(\"CVE-2011-5036\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2013-0263\");\n script_name(\"Debian Security Advisory DSA 2783-1 (librack-ruby - several vulnerabilities)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:43:56 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-21 00:00:00 +0200 (Mon, 21 Oct 2013)\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2013/dsa-2783.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB6\");\n script_tag(name:\"affected\", value:\"librack-ruby on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (squeeze), these problems have been fixed in\nversion 1.1.0-4+squeeze1.\n\nThe stable, testing and unstable distributions do not contain the\nlibrack-ruby package. They have already been addressed in version\n1.4.1-2.1 of the ruby-rack package.\n\nWe recommend that you upgrade your librack-ruby packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilities and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036\nRack computes hash values for form parameters without restricting\nthe ability to trigger hash collisions predictably, which allows\nremote attackers to cause a denial of service (CPU consumption)\nby sending many crafted parameters.\n\nCVE-2013-0183\nA remote attacker could cause a denial of service (memory\nconsumption and out-of-memory error) via a long string in a\nMultipart HTTP packet.\n\nCVE-2013-0184\nA vulnerability in Rack::Auth::AbstractRequest allows remote\nattackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263\nRack::Session::Cookie allows remote attackers to guess the\nsession cookie, gain privileges, and execute arbitrary code via a\ntiming attack involving an HMAC comparison function that does not\nrun in constant time.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"librack-ruby\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"librack-ruby1.8\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"librack-ruby1.9.1\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2013-0262", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-05-09T00:00:00", "id": "OPENVAS:1361412562310865604", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865604", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-2315", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-2315\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.865604\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-09 10:21:17 +0530 (Thu, 09 May 2013)\");\n script_cve_id(\"CVE-2013-0262\", \"CVE-2013-0263\", \"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-2315\");\n script_xref(name:\"FEDORA\", value:\"2013-2315\");\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104668.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-rack'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"rubygem-rack on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~4.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-25T10:51:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2013-0262", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "description": "Check for the Version of rubygem-rack", "modified": "2017-07-10T00:00:00", "published": "2013-05-09T00:00:00", "id": "OPENVAS:865607", "href": "http://plugins.openvas.org/nasl.php?oid=865607", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-2306", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-2306\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rubygem-rack on Fedora 18\";\ntag_insight = \"Rack provides a common API for connecting web frameworks,\n web servers and layers of software in between\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(865607);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-09 10:21:33 +0530 (Thu, 09 May 2013)\");\n script_cve_id(\"CVE-2013-0262\", \"CVE-2013-0263\", \"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-2306\");\n\n script_xref(name: \"FEDORA\", value: \"2013-2306\");\n script_xref(name: \"URL\" , value: \"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104672.html\");\n script_summary(\"Check for the Version of rubygem-rack\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~5.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:51:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2013-0262", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "description": "Check for the Version of rubygem-rack", "modified": "2017-07-10T00:00:00", "published": "2013-05-09T00:00:00", "id": "OPENVAS:865604", "href": "http://plugins.openvas.org/nasl.php?oid=865604", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-2315", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-2315\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rubygem-rack on Fedora 17\";\ntag_insight = \"Rack provides a common API for connecting web frameworks,\n web servers and layers of software in between\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(865604);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-09 10:21:17 +0530 (Thu, 09 May 2013)\");\n script_cve_id(\"CVE-2013-0262\", \"CVE-2013-0263\", \"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-2315\");\n\n script_xref(name: \"FEDORA\", value: \"2013-2315\");\n script_xref(name: \"URL\" , value: \"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104668.html\");\n script_summary(\"Check for the Version of rubygem-rack\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~4.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-5036", "CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2013-01-25T21:34:26", "published": "2013-01-25T21:34:26", "id": "FEDORA:47B6420F0B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: rubygem-rack-1.3.0-3.fc16", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2013-01-25T21:44:01", "published": "2013-01-25T21:44:01", "id": "FEDORA:4D80520F46", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: rubygem-rack-1.4.0-3.fc17", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2013-01-25T21:37:50", "published": "2013-01-25T21:37:50", "id": "FEDORA:7A4F420891", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: rubygem-rack-1.4.0-4.fc18", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-6109", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0262", "CVE-2013-0263"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2013-05-07T18:29:19", "published": "2013-05-07T18:29:19", "id": "FEDORA:724CE206A4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: rubygem-rack-1.4.0-4.fc17", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-6109", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0262", "CVE-2013-0263"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2013-05-07T18:33:02", "published": "2013-05-07T18:33:02", "id": "FEDORA:347A92074D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: rubygem-rack-1.4.0-5.fc18", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-5036"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2012-01-16T21:23:49", "published": "2012-01-16T21:23:49", "id": "FEDORA:B06A620BBA", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: rubygem-rack-1.3.0-2.fc16", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-5036"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2012-01-16T21:26:40", "published": "2012-01-16T21:26:40", "id": "FEDORA:4C05620D2A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 15 Update: rubygem-rack-1.1.0-4.fc15", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2020-12-09T19:39:12", "description": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.", "edition": 5, "cvss3": {}, "published": "2011-12-30T01:55:00", "title": "CVE-2011-5036", "type": "cve", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-5036"], "modified": "2013-10-31T03:21:00", "cpe": ["cpe:/a:rack_project:rack:1.2.0", "cpe:/a:rack_project:rack:1.3.5", "cpe:/a:rack_project:rack:1.2.2", "cpe:/a:rack_project:rack:1.3.2", "cpe:/a:rack_project:rack:1.1.0", "cpe:/a:rack_project:rack:1.2.3", "cpe:/a:rack_project:rack:1.2.1", "cpe:/a:rack_project:rack:1.3.0", "cpe:/a:rack_project:rack:1.3.4", "cpe:/a:rack_project:rack:1.3.3", "cpe:/a:rack_project:rack:1.2.4", "cpe:/a:rack_project:rack:1.3.1"], "id": "CVE-2011-5036", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5036", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:47:26", "description": "lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.", "edition": 5, "cvss3": {}, "published": "2013-03-01T05:40:00", "title": "CVE-2012-6109", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6109"], "modified": "2018-08-13T21:47:00", "cpe": ["cpe:/a:rack_project:rack:0.3", "cpe:/a:rack_project:rack:1.2.0", "cpe:/a:rack_project:rack:1.3.5", "cpe:/a:rack_project:rack:0.9.1", "cpe:/a:rack_project:rack:0.2", "cpe:/a:rack_project:rack:1.2.2", "cpe:/a:rack_project:rack:1.3.2", "cpe:/a:rack_project:rack:1.1.0", "cpe:/a:rack_project:rack:1.2.3", "cpe:/a:rack_project:rack:1.0.0", "cpe:/a:rack_project:rack:1.2.1", "cpe:/a:rack_project:rack:1.4.0", "cpe:/a:rack_project:rack:1.1.3", "cpe:/a:rack_project:rack:0.4", "cpe:/a:rack_project:rack:1.1.2", "cpe:/a:rack_project:rack:0.1", "cpe:/a:rack_project:rack:0.9", "cpe:/a:rack_project:rack:1.3.0", "cpe:/a:rack_project:rack:1.3.4", "cpe:/a:rack_project:rack:1.4.1", "cpe:/a:rack_project:rack:1.3.3", "cpe:/a:rack_project:rack:1.0.1", "cpe:/a:rack_project:rack:1.3.6", "cpe:/a:rack_project:rack:1.2.4", "cpe:/a:rack_project:rack:1.3.1"], "id": "CVE-2012-6109", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6109", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:0.9:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:0.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:0.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:0.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:0.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:0.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:45:53", "description": "Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to \"symbolized arbitrary strings.\"", "edition": 3, "cvss3": {}, "published": "2013-03-01T05:40:00", "title": "CVE-2013-0184", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0184"], "modified": "2013-10-31T03:30:00", "cpe": ["cpe:/a:rack_project:rack:1.2.0", "cpe:/a:rack_project:rack:1.3.5", "cpe:/a:rack_project:rack:1.2.2", "cpe:/a:rack_project:rack:1.3.2", "cpe:/a:rack_project:rack:1.2.6", "cpe:/a:rack_project:rack:1.4.3", "cpe:/a:rack_project:rack:1.3.7", "cpe:/a:rack_project:rack:1.1.0", "cpe:/a:rack_project:rack:1.2.3", "cpe:/a:rack_project:rack:1.1.4", "cpe:/a:rack_project:rack:1.3.8", "cpe:/a:rack_project:rack:1.2.1", "cpe:/a:rack_project:rack:1.4.0", "cpe:/a:rack_project:rack:1.1.3", "cpe:/a:rack_project:rack:1.1.2", "cpe:/a:rack_project:rack:1.4.2", "cpe:/a:rack_project:rack:1.3.0", "cpe:/a:rack_project:rack:1.3.4", "cpe:/a:rack_project:rack:1.4.1", "cpe:/a:rack_project:rack:1.3.3", "cpe:/a:rack_project:rack:1.3.6", "cpe:/a:rack_project:rack:1.2.4", "cpe:/a:rack_project:rack:1.3.1"], "id": "CVE-2013-0184", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0184", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:45:53", "description": "multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet.", "edition": 3, "cvss3": {}, "published": "2013-03-01T05:40:00", "title": "CVE-2013-0183", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0183"], "modified": "2018-08-13T21:47:00", "cpe": ["cpe:/a:rack_project:rack:1.3.5", "cpe:/a:rack_project:rack:1.3.2", "cpe:/a:rack_project:rack:1.3.7", "cpe:/a:rack_project:rack:1.4.0", "cpe:/a:rack_project:rack:1.4.2", "cpe:/a:rack_project:rack:1.3.0", "cpe:/a:rack_project:rack:1.3.4", "cpe:/a:rack_project:rack:1.4.1", "cpe:/a:rack_project:rack:1.3.3", "cpe:/a:rack_project:rack:1.3.6", "cpe:/a:rack_project:rack:1.3.1"], "id": "CVE-2013-0183", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0183", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-12T10:10:48", "description": "Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2013-01-28T00:00:00", "title": "Fedora 18 : rubygem-rack-1.4.0-4.fc18 (2013-0837)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "modified": "2013-01-28T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:rubygem-rack"], "id": "FEDORA_2013-0837.NASL", "href": "https://www.tenable.com/plugins/nessus/64251", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0837.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64251);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_xref(name:\"FEDORA\", value:\"2013-0837\");\n\n script_name(english:\"Fedora 18 : rubygem-rack-1.4.0-4.fc18 (2013-0837)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895282\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895384\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097518.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8c3f85b7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"rubygem-rack-1.4.0-4.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-rack\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:10:49", "description": "Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2013-01-28T00:00:00", "title": "Fedora 16 : rubygem-rack-1.3.0-3.fc16 (2013-0896)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "modified": "2013-01-28T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:rubygem-rack", "cpe:/o:fedoraproject:fedora:16"], "id": "FEDORA_2013-0896.NASL", "href": "https://www.tenable.com/plugins/nessus/64254", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0896.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64254);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_xref(name:\"FEDORA\", value:\"2013-0896\");\n\n script_name(english:\"Fedora 16 : rubygem-rack-1.3.0-3.fc16 (2013-0896)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895282\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895384\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097501.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5c6c3360\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"rubygem-rack-1.3.0-3.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-rack\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:10:48", "description": "Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2013-01-28T00:00:00", "title": "Fedora 17 : rubygem-rack-1.4.0-3.fc17 (2013-0861)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "modified": "2013-01-28T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:rubygem-rack", "cpe:/o:fedoraproject:fedora:17"], "id": "FEDORA_2013-0861.NASL", "href": "https://www.tenable.com/plugins/nessus/64253", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0861.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64253);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_xref(name:\"FEDORA\", value:\"2013-0861\");\n\n script_name(english:\"Fedora 17 : rubygem-rack-1.4.0-3.fc17 (2013-0861)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895282\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895384\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097523.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?08b0180e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"rubygem-rack-1.4.0-3.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-rack\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T09:48:11", "description": "Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilites and Exposures project\nidentifies the following vulnerabilities :\n\n - CVE-2011-5036\n Rack computes hash values for form parameters without\n restricting the ability to trigger hash collisions\n predictably, which allows remote attackers to cause a\n denial of service (CPU consumption) by sending many\n crafted parameters.\n\n - CVE-2013-0183\n A remote attacker could cause a denial of service\n (memory consumption and out-of-memory error) via a long\n string in a Multipart HTTP packet.\n\n - CVE-2013-0184\n A vulnerability in Rack::Auth::AbstractRequest allows\n remote attackers to cause a denial of service via\n unknown vectors.\n\n - CVE-2013-0263\n Rack::Session::Cookie allows remote attackers to guess\n the session cookie, gain privileges, and execute\n arbitrary code via a timing attack involving an HMAC\n comparison function that does not run in constant time.", "edition": 16, "published": "2013-10-22T00:00:00", "title": "Debian DSA-2783-1 : librack-ruby - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "modified": "2013-10-22T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:librack-ruby"], "id": "DEBIAN_DSA-2783.NASL", "href": "https://www.tenable.com/plugins/nessus/70534", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2783. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(70534);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-5036\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2013-0263\");\n script_bugtraq_id(51197, 57860, 58769);\n script_xref(name:\"DSA\", value:\"2783\");\n\n script_name(english:\"Debian DSA-2783-1 : librack-ruby - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilites and Exposures project\nidentifies the following vulnerabilities :\n\n - CVE-2011-5036\n Rack computes hash values for form parameters without\n restricting the ability to trigger hash collisions\n predictably, which allows remote attackers to cause a\n denial of service (CPU consumption) by sending many\n crafted parameters.\n\n - CVE-2013-0183\n A remote attacker could cause a denial of service\n (memory consumption and out-of-memory error) via a long\n string in a Multipart HTTP packet.\n\n - CVE-2013-0184\n A vulnerability in Rack::Auth::AbstractRequest allows\n remote attackers to cause a denial of service via\n unknown vectors.\n\n - CVE-2013-0263\n Rack::Session::Cookie allows remote attackers to guess\n the session cookie, gain privileges, and execute\n arbitrary code via a timing attack involving an HMAC\n comparison function that does not run in constant time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653963\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698440\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700226\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-5036\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2013-0183\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2013-0184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2013-0263\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/librack-ruby\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2013/dsa-2783\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the librack-ruby packages.\n\nFor the oldstable distribution (squeeze), these problems have been\nfixed in version 1.1.0-4+squeeze1.\n\nThe stable, testing and unstable distributions do not contain the\nlibrack-ruby package. They have already been addressed in version\n1.4.1-2.1 of the ruby-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:librack-ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"librack-ruby\", reference:\"1.1.0-4+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"librack-ruby1.8\", reference:\"1.1.0-4+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"librack-ruby1.9.1\", reference:\"1.1.0-4+squeeze1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:55:43", "description": "The remote host is affected by the vulnerability described in GLSA-201405-10\n(Rack: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Rack. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, or obtain\n sensitive information.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 21, "published": "2014-05-19T00:00:00", "title": "GLSA-201405-10 : Rack: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0262", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "modified": "2014-05-19T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:rack", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201405-10.NASL", "href": "https://www.tenable.com/plugins/nessus/74053", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201405-10.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74053);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2013-0262\", \"CVE-2013-0263\");\n script_bugtraq_id(57860, 57862, 58767, 58768, 58769);\n script_xref(name:\"GLSA\", value:\"201405-10\");\n\n script_name(english:\"GLSA-201405-10 : Rack: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201405-10\n(Rack: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Rack. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, or obtain\n sensitive information.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201405-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Rack 1.4 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-ruby/rack-1.4.5'\n All Rack 1.3 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-ruby/rack-1.3.10'\n All Rack 1.2 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-ruby/rack-1.2.8'\n All Rack 1.1 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-ruby/rack-1.1.6'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-ruby/rack\", unaffected:make_list(\"ge 1.4.5\", \"rge 1.3.10\", \"rge 1.2.8\", \"rge 1.1.6\"), vulnerable:make_list(\"lt 1.4.5\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Rack\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:26:12", "description": "The Ruby on Rails 2.3 stack was updated to 2.3.17. The Ruby on Rails\n3.2 stack was updated to 3.2.12.\n\nThe Ruby Rack was updated to 1.1.6. The Ruby Rack was\nupdated to 1.2.8. The Ruby Rack was updated to 1.3.10. The\nRuby Rack was updated to 1.4.5.\n\nThe updates fix various security issues and bugs.\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276:\n issue with attr_protected where malformed input could\n circumvent protection\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - Fix issue with attr_protected where malformed input\n could circumvent protection\n\n - Fix Serialized Attributes YAML Vulnerability\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - Fix issue with attr_protected where malformed input\n could circumvent protection\n\n - Fix Serialized Attributes YAML Vulnerability\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :\n\n - Quote numeric values being compared to non-numeric\n columns. Otherwise, in some database, the string column\n values will be coerced to a numeric allowing 0, 0.0 or\n false to match any string starting with a non-digit.\n\n - update to 1.1.6 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - update to 1.2.8 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - update to 1.3.10 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - ruby rack update to 1.4.5 (bnc#802794 bnc#802795)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - Fix CVE-2013-0262, symlink path traversal in Rack::File\n\n - ruby rack update to 1.4.4 (bnc#798452)\n\n - [SEC] Rack::Auth::AbstractRequest no longer symbolizes\n arbitrary strings (CVE-2013-0184)\n\n - ruby rack changes from 1.4.3\n\n - Security: Prevent unbounded reads in large multipart\n boundaries (CVE-2013-0183)\n\n - ruby rack changes from 1.4.2 (CVE-2012-6109)\n\n - Add warnings when users do not provide a session secret\n\n - Fix parsing performance for unquoted filenames\n\n - Updated URI backports\n\n - Fix URI backport version matching, and silence constant\n warnings\n\n - Correct parameter parsing with empty values\n\n - Correct rackup '-I' flag, to allow multiple uses\n\n - Correct rackup pidfile handling\n\n - Report rackup line numbers correctly\n\n - Fix request loops caused by non-stale nonces with time\n limits\n\n - Fix reloader on Windows\n\n - Prevent infinite recursions from Response#to_ary\n\n - Various middleware better conforms to the body close\n specification\n\n - Updated language for the body close specification\n\n - Additional notes regarding ECMA escape compatibility\n issues\n\n - Fix the parsing of multiple ranges in range headers\n\n - Prevent errors from empty parameter keys\n\n - Added PATCH verb to Rack::Request\n\n - Various documentation updates\n\n - Fix session merge semantics (fixes rack-test)\n\n - Rack::Static :index can now handle multiple directories\n\n - All tests now utilize Rack::Lint (special thanks to Lars\n Gierth)\n\n - Rack::File cache_control parameter is now deprecated,\n and removed by 1.5\n\n - Correct Rack::Directory script name escaping\n\n - Rack::Static supports header rules for sophisticated\n configurations\n\n - Multipart parsing now works without a Content-Length\n header\n\n - New logos courtesy of Zachary Scott!\n\n - Rack::BodyProxy now explicitly defines #each, useful for\n C extensions\n\n - Cookies that are not URI escaped no longer cause\n exceptions", "edition": 20, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : RubyOnRails (openSUSE-SU-2013:0338-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0276", "CVE-2013-0262", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0277", "CVE-2013-0184", "CVE-2013-0263"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:rubygem-rails", "p-cpe:/a:novell:opensuse:rubygem-activesupport-3_2", "p-cpe:/a:novell:opensuse:rubygem-rack-1_1", "p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3", "p-cpe:/a:novell:opensuse:rubygem-actionmailer", "p-cpe:/a:novell:opensuse:rubygem-actionpack", "p-cpe:/a:novell:opensuse:rubygem-actionmailer-2_3-testsuite", "p-cpe:/a:novell:opensuse:rubygem-actionpack-3_2", "cpe:/o:novell:opensuse:12.1", "p-cpe:/a:novell:opensuse:rubygem-rack-1_1-testsuite", "p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3-testsuite", "p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3", "p-cpe:/a:novell:opensuse:rubygem-rails-2_3", "p-cpe:/a:novell:opensuse:rubygem-rack-1_2-testsuite", "p-cpe:/a:novell:opensuse:rubygem-activesupport", "p-cpe:/a:novell:opensuse:rubygem-activeresource", "p-cpe:/a:novell:opensuse:rubygem-rails-3_2", "p-cpe:/a:novell:opensuse:rubygem-activeresource-3_2", "p-cpe:/a:novell:opensuse:rubygem-railties-3_2", "p-cpe:/a:novell:opensuse:rubygem-activemodel-3_2", "p-cpe:/a:novell:opensuse:rubygem-activeresource-2_3-testsuite", "p-cpe:/a:novell:opensuse:rubygem-rack-1_3-testsuite", "p-cpe:/a:novell:opensuse:rubygem-activeresource-2_3", "p-cpe:/a:novell:opensuse:rubygem-actionmailer-2_3", "p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3-testsuite", "p-cpe:/a:novell:opensuse:rubygem-rack-1_3", "p-cpe:/a:novell:opensuse:rubygem-rack-1_2", "p-cpe:/a:novell:opensuse:rubygem-actionmailer-3_2", "p-cpe:/a:novell:opensuse:rubygem-rack-1_4-testsuite", "p-cpe:/a:novell:opensuse:rubygem-activesupport-2_3", "p-cpe:/a:novell:opensuse:rubygem-activerecord", "p-cpe:/a:novell:opensuse:rubygem-rack-1_4", "cpe:/o:novell:opensuse:12.2", "p-cpe:/a:novell:opensuse:rubygem-activerecord-3_2"], "id": "OPENSUSE-2013-152.NASL", "href": "https://www.tenable.com/plugins/nessus/74900", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-152.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74900);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2013-0262\", \"CVE-2013-0263\", \"CVE-2013-0276\", \"CVE-2013-0277\");\n\n script_name(english:\"openSUSE Security Update : RubyOnRails (openSUSE-SU-2013:0338-1)\");\n script_summary(english:\"Check for the openSUSE-2013-152 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Ruby on Rails 2.3 stack was updated to 2.3.17. The Ruby on Rails\n3.2 stack was updated to 3.2.12.\n\nThe Ruby Rack was updated to 1.1.6. The Ruby Rack was\nupdated to 1.2.8. The Ruby Rack was updated to 1.3.10. The\nRuby Rack was updated to 1.4.5.\n\nThe updates fix various security issues and bugs.\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276:\n issue with attr_protected where malformed input could\n circumvent protection\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - Fix issue with attr_protected where malformed input\n could circumvent protection\n\n - Fix Serialized Attributes YAML Vulnerability\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - Fix issue with attr_protected where malformed input\n could circumvent protection\n\n - Fix Serialized Attributes YAML Vulnerability\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :\n\n - Quote numeric values being compared to non-numeric\n columns. Otherwise, in some database, the string column\n values will be coerced to a numeric allowing 0, 0.0 or\n false to match any string starting with a non-digit.\n\n - update to 1.1.6 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - update to 1.2.8 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - update to 1.3.10 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - ruby rack update to 1.4.5 (bnc#802794 bnc#802795)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - Fix CVE-2013-0262, symlink path traversal in Rack::File\n\n - ruby rack update to 1.4.4 (bnc#798452)\n\n - [SEC] Rack::Auth::AbstractRequest no longer symbolizes\n arbitrary strings (CVE-2013-0184)\n\n - ruby rack changes from 1.4.3\n\n - Security: Prevent unbounded reads in large multipart\n boundaries (CVE-2013-0183)\n\n - ruby rack changes from 1.4.2 (CVE-2012-6109)\n\n - Add warnings when users do not provide a session secret\n\n - Fix parsing performance for unquoted filenames\n\n - Updated URI backports\n\n - Fix URI backport version matching, and silence constant\n warnings\n\n - Correct parameter parsing with empty values\n\n - Correct rackup '-I' flag, to allow multiple uses\n\n - Correct rackup pidfile handling\n\n - Report rackup line numbers correctly\n\n - Fix request loops caused by non-stale nonces with time\n limits\n\n - Fix reloader on Windows\n\n - Prevent infinite recursions from Response#to_ary\n\n - Various middleware better conforms to the body close\n specification\n\n - Updated language for the body close specification\n\n - Additional notes regarding ECMA escape compatibility\n issues\n\n - Fix the parsing of multiple ranges in range headers\n\n - Prevent errors from empty parameter keys\n\n - Added PATCH verb to Rack::Request\n\n - Various documentation updates\n\n - Fix session merge semantics (fixes rack-test)\n\n - Rack::Static :index can now handle multiple directories\n\n - All tests now utilize Rack::Lint (special thanks to Lars\n Gierth)\n\n - Rack::File cache_control parameter is now deprecated,\n and removed by 1.5\n\n - Correct Rack::Directory script name escaping\n\n - Rack::Static supports header rules for sophisticated\n configurations\n\n - Multipart parsing now works without a Content-Length\n header\n\n - New logos courtesy of Zachary Scott!\n\n - Rack::BodyProxy now explicitly defines #each, useful for\n C extensions\n\n - Cookies that are not URI escaped no longer cause\n exceptions\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=798452\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=802794\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=802795\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=803336\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=803339\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-02/msg00071.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected RubyOnRails packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionmailer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionmailer-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionmailer-2_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionmailer-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionpack-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activemodel-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activerecord-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activeresource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activeresource-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activeresource-2_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activeresource-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activesupport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activesupport-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activesupport-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_1-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_2-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_4-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rails-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rails-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-railties-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1|SUSE12\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1 / 12.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionmailer-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionmailer-2_3-2.3.17-3.13.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionmailer-2_3-testsuite-2.3.17-3.13.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionpack-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionpack-2_3-2.3.17-3.20.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionpack-2_3-testsuite-2.3.17-3.20.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activerecord-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activerecord-2_3-2.3.17-3.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activerecord-2_3-testsuite-2.3.17-3.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activeresource-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activeresource-2_3-2.3.17-3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activeresource-2_3-testsuite-2.3.17-3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activesupport-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activesupport-2_3-2.3.17-3.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-rack-1_1-1.1.6-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-rack-1_1-testsuite-1.1.6-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-rails-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-rails-2_3-2.3.17-3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionmailer-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionmailer-2_3-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionmailer-2_3-testsuite-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionmailer-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionpack-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionpack-2_3-2.3.17-2.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionpack-2_3-testsuite-2.3.17-2.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionpack-3_2-3.2.12-3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activemodel-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activerecord-2.3.17-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activerecord-2_3-2.3.17-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activerecord-2_3-testsuite-2.3.17-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activerecord-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activeresource-2.3.17-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activeresource-2_3-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activeresource-2_3-testsuite-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activeresource-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activesupport-2.3.17-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activesupport-2_3-2.3.17-3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activesupport-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_1-1.1.6-6.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_1-testsuite-1.1.6-6.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_2-1.2.8-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_2-testsuite-1.2.8-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_3-1.3.10-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_3-testsuite-1.3.10-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_4-1.4.5-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_4-testsuite-1.4.5-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rails-2.3.17-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rails-2_3-2.3.17-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rails-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-railties-3_2-3.2.12-2.13.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"RubyOnRails\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:12:05", "description": "Red Hat Subscription Asset Manager 1.2, which fixes several security\nissues, multiple bugs, and adds various enhancements, is now\navailable.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nRed Hat Subscription Asset Manager acts as a proxy for handling\nsubscription information and software updates on client machines.\n\nIt was discovered that Katello did not properly check user permissions\nwhen handling certain requests. An authenticated remote attacker could\nuse this flaw to download consumer certificates or change settings of\nother users' systems if they knew the target system's UUID.\n(CVE-2012-5603)\n\nA vulnerability in rubygem-ldap_fluff allowed a remote attacker to\nbypass authentication and log into Subscription Asset Manager when a\nMicrosoft Active Directory server was used as the back-end\nauthentication server. (CVE-2012-5604)\n\nIt was found that the\n'/usr/share/katello/script/katello-generate-passphrase' utility, which\nis run during the installation and configuration process, set\nworld-readable permissions on the '/etc/katello/secure/passphrase'\nfile. A local attacker could use this flaw to obtain the passphrase\nfor Katello, giving them access to information they would otherwise\nnot have access to. (CVE-2012-5561)\n\nNote: After installing this update, ensure the\n'/etc/katello/secure/passphrase' file is owned by the root user and\ngroup and mode 0750 permissions. Sites should also consider\nre-creating the Katello passphrase as this issue exposed it to local\nusers.\n\nThree flaws were found in rubygem-rack. A remote attacker could use\nthese flaws to perform a denial of service attack against applications\nusing rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)\n\nA flaw was found in the way rubygem-activerecord dynamic finders\nextracted options from method parameters. A remote attacker could\npossibly use this flaw to perform SQL injection attacks against\napplications using the Active Record dynamic finder methods.\n(CVE-2012-6496)\n\nIt was found that ruby_parser from rubygem-ruby_parser created a\ntemporary file in an insecure way. A local attacker could use this\nflaw to perform a symbolic link attack, overwriting arbitrary files\naccessible to the application using ruby_parser. (CVE-2013-0162)\n\nThe CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;\nCVE-2012-5604 was discovered by Og Maciel of Red Hat; CVE-2012-5561\nwas discovered by Aaron Weitekamp of the Red Hat Cloud Quality\nEngineering team; and CVE-2013-0162 was discovered by Michael Scherer\nof the Red Hat Regional IT team.\n\nThese updated Subscription Asset Manager packages include a number of\nbug fixes and enhancements. Space precludes documenting all of these\nchanges in this advisory. Refer to the Red Hat Subscription Asset\nManager 1.2 Release Notes for information about these changes :\n\nhttps://access.redhat.com/knowledge/docs/en-US/\nRed_Hat_Subscription_Asset_Manager/1.2/html/Release_Notes/index.html\n\nAll users of Red Hat Subscription Asset Manager are advised to upgrade\nto these updated packages, which fix these issues and add various\nenhancements.", "edition": 22, "published": "2013-03-10T00:00:00", "title": "RHEL 6 : Subscription Asset Manager (RHSA-2013:0544)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6109", "CVE-2012-5604", "CVE-2012-6496", "CVE-2012-5603", "CVE-2012-5561", "CVE-2013-0162", "CVE-2013-0183", "CVE-2013-0184"], "modified": "2013-03-10T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:katello-glue-candlepin", "p-cpe:/a:redhat:enterprise_linux:rubygem-ruby_parser-doc", "p-cpe:/a:redhat:enterprise_linux:rubygem-ruby_parser", "p-cpe:/a:redhat:enterprise_linux:rubygem-mail", "p-cpe:/a:redhat:enterprise_linux:rubygem-ldap_fluff", "p-cpe:/a:redhat:enterprise_linux:katello-configure", "p-cpe:/a:redhat:enterprise_linux:lucene3", "p-cpe:/a:redhat:enterprise_linux:apache-commons-codec-debuginfo", "p-cpe:/a:redhat:enterprise_linux:apache-mime4j", "p-cpe:/a:redhat:enterprise_linux:rubygem-apipie-rails", "p-cpe:/a:redhat:enterprise_linux:sigar", "p-cpe:/a:redhat:enterprise_linux:sigar-java", "p-cpe:/a:redhat:enterprise_linux:rubygem-mail-doc", "p-cpe:/a:redhat:enterprise_linux:rubygem-activesupport", "p-cpe:/a:redhat:enterprise_linux:katello-common", "p-cpe:/a:redhat:enterprise_linux:apache-mime4j-javadoc", "p-cpe:/a:redhat:enterprise_linux:katello-selinux", "p-cpe:/a:redhat:enterprise_linux:candlepin-selinux", "p-cpe:/a:redhat:enterprise_linux:quartz", "p-cpe:/a:redhat:enterprise_linux:candlepin-tomcat6", "p-cpe:/a:redhat:enterprise_linux:katello-certs-tools", "p-cpe:/a:redhat:enterprise_linux:katello-cli", "p-cpe:/a:redhat:enterprise_linux:puppet-server", "p-cpe:/a:redhat:enterprise_linux:snappy-java-debuginfo", "p-cpe:/a:redhat:enterprise_linux:lucene3-contrib", "p-cpe:/a:redhat:enterprise_linux:candlepin", "p-cpe:/a:redhat:enterprise_linux:thumbslug", "p-cpe:/a:redhat:enterprise_linux:thumbslug-selinux", "p-cpe:/a:redhat:enterprise_linux:elasticsearch", "p-cpe:/a:redhat:enterprise_linux:apache-commons-codec", "p-cpe:/a:redhat:enterprise_linux:katello-cli-common", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:sigar-debuginfo", "p-cpe:/a:redhat:enterprise_linux:katello-headpin-all", "p-cpe:/a:redhat:enterprise_linux:candlepin-devel", "p-cpe:/a:redhat:enterprise_linux:snappy-java", "p-cpe:/a:redhat:enterprise_linux:katello-headpin", "p-cpe:/a:redhat:enterprise_linux:puppet"], "id": "REDHAT-RHSA-2013-0544.NASL", "href": "https://www.tenable.com/plugins/nessus/65172", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# Disabled on 2013/07/05.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0544. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65172);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2012-5561\", \"CVE-2012-5603\", \"CVE-2012-5604\", \"CVE-2012-6109\", \"CVE-2012-6496\", \"CVE-2013-0162\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_xref(name:\"RHSA\", value:\"2013:0544\");\n\n script_name(english:\"RHEL 6 : Subscription Asset Manager (RHSA-2013:0544)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Red Hat Subscription Asset Manager 1.2, which fixes several security\nissues, multiple bugs, and adds various enhancements, is now\navailable.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nRed Hat Subscription Asset Manager acts as a proxy for handling\nsubscription information and software updates on client machines.\n\nIt was discovered that Katello did not properly check user permissions\nwhen handling certain requests. An authenticated remote attacker could\nuse this flaw to download consumer certificates or change settings of\nother users' systems if they knew the target system's UUID.\n(CVE-2012-5603)\n\nA vulnerability in rubygem-ldap_fluff allowed a remote attacker to\nbypass authentication and log into Subscription Asset Manager when a\nMicrosoft Active Directory server was used as the back-end\nauthentication server. (CVE-2012-5604)\n\nIt was found that the\n'/usr/share/katello/script/katello-generate-passphrase' utility, which\nis run during the installation and configuration process, set\nworld-readable permissions on the '/etc/katello/secure/passphrase'\nfile. A local attacker could use this flaw to obtain the passphrase\nfor Katello, giving them access to information they would otherwise\nnot have access to. (CVE-2012-5561)\n\nNote: After installing this update, ensure the\n'/etc/katello/secure/passphrase' file is owned by the root user and\ngroup and mode 0750 permissions. Sites should also consider\nre-creating the Katello passphrase as this issue exposed it to local\nusers.\n\nThree flaws were found in rubygem-rack. A remote attacker could use\nthese flaws to perform a denial of service attack against applications\nusing rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)\n\nA flaw was found in the way rubygem-activerecord dynamic finders\nextracted options from method parameters. A remote attacker could\npossibly use this flaw to perform SQL injection attacks against\napplications using the Active Record dynamic finder methods.\n(CVE-2012-6496)\n\nIt was found that ruby_parser from rubygem-ruby_parser created a\ntemporary file in an insecure way. A local attacker could use this\nflaw to perform a symbolic link attack, overwriting arbitrary files\naccessible to the application using ruby_parser. (CVE-2013-0162)\n\nThe CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;\nCVE-2012-5604 was discovered by Og Maciel of Red Hat; CVE-2012-5561\nwas discovered by Aaron Weitekamp of the Red Hat Cloud Quality\nEngineering team; and CVE-2013-0162 was discovered by Michael Scherer\nof the Red Hat Regional IT team.\n\nThese updated Subscription Asset Manager packages include a number of\nbug fixes and enhancements. Space precludes documenting all of these\nchanges in this advisory. Refer to the Red Hat Subscription Asset\nManager 1.2 Release Notes for information about these changes :\n\nhttps://access.redhat.com/knowledge/docs/en-US/\nRed_Hat_Subscription_Asset_Manager/1.2/html/Release_Notes/index.html\n\nAll users of Red Hat Subscription Asset Manager are advised to upgrade\nto these updated packages, which fix these issues and add various\nenhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2012-5561.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2012-5603.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2012-5604.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2012-6109.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2012-6496.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-0162.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-0183.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-0184.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/knowledge/docs/en-US/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2013-0544.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-commons-codec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-commons-codec-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-mime4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-mime4j-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:candlepin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:candlepin-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:candlepin-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:candlepin-tomcat6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:elasticsearch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-certs-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-cli-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-configure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-glue-candlepin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-headpin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-headpin-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:lucene3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:lucene3-contrib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppet-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:quartz\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-activesupport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-apipie-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-ldap_fluff\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-mail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-mail-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-ruby_parser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-ruby_parser-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sigar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sigar-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sigar-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:snappy-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:snappy-java-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:thumbslug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:thumbslug-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n# Deprecated\nexit(0, \"This plugin has been temporarily deprecated.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (!rpm_exists(release:\"RHEL6\", rpm:\"candlepin\")) exit(0, \"Red Hat Subscription Asset Manager is not installed.\");\n\nflag = 0;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"apache-commons-codec-1.7-2.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"apache-commons-codec-debuginfo-1.7-2.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"apache-mime4j-0.6-4_redhat_1.ep6.el6.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"apache-mime4j-javadoc-0.6-4_redhat_1.ep6.el6.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"candlepin-0.7.23-1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"candlepin-devel-0.7.23-1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"candlepin-selinux-0.7.23-1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"candlepin-tomcat6-0.7.23-1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"elasticsearch-0.19.9-5.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"katello-certs-tools-1.2.1-1h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"katello-cli-1.2.1-12h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"katello-cli-common-1.2.1-12h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"katello-common-1.2.1-15h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"katello-configure-1.2.3-3h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"katello-glue-candlepin-1.2.1-15h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"katello-headpin-1.2.1-15h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"katello-headpin-all-1.2.1-15h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"katello-selinux-1.2.1-2h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"lucene3-3.6.1-10h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"lucene3-contrib-3.6.1-10h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"puppet-2.6.17-2.el6cf\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"puppet-server-2.6.17-2.el6cf\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"quartz-2.1.5-4.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"rubygem-activesupport-3.0.10-10.el6cf\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"rubygem-apipie-rails-0.0.12-2.el6cf\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"rubygem-ldap_fluff-0.1.3-1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"rubygem-mail-2.3.0-3.el6cf\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"rubygem-mail-doc-2.3.0-3.el6cf\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"rubygem-ruby_parser-2.0.4-6.el6cf\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"rubygem-ruby_parser-doc-2.0.4-6.el6cf\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"sigar-1.6.5-0.12.git58097d9h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"sigar-debuginfo-1.6.5-0.12.git58097d9h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"sigar-java-1.6.5-0.12.git58097d9h.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"snappy-java-1.0.4-2.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"snappy-java-debuginfo-1.0.4-2.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"thumbslug-0.0.28-1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"thumbslug-selinux-0.0.28-1.el6_3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:53:29", "description": "The remote host is affected by the vulnerability described in GLSA-201203-05\n(Rack: Denial of Service)\n\n Rack does not properly randomize hash functions to protect against hash\n collision attacks.\n \nImpact :\n\n A remote attacker could send a specially crafted form post, possibly\n resulting in a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 21, "published": "2012-03-06T00:00:00", "title": "GLSA-201203-05 : Rack: Denial of Service", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-5036"], "modified": "2012-03-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:rack", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201203-05.NASL", "href": "https://www.tenable.com/plugins/nessus/58215", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201203-05.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(58215);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-5036\");\n script_bugtraq_id(51197);\n script_xref(name:\"GLSA\", value:\"201203-05\");\n\n script_name(english:\"GLSA-201203-05 : Rack: Denial of Service\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201203-05\n(Rack: Denial of Service)\n\n Rack does not properly randomize hash functions to protect against hash\n collision attacks.\n \nImpact :\n\n A remote attacker could send a specially crafted form post, possibly\n resulting in a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201203-05\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Rack users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-ruby/rack-1.1.3'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/03/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-ruby/rack\", unaffected:make_list(\"ge 1.1.3\"), vulnerable:make_list(\"lt 1.1.3\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Rack\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:09:49", "description": "Julian Walde and Alexander Klink reported a flaw in the hash function\nused in the implementation of the Ruby-rack arrays (CVE-2011-5036).\nRuby-rack arrays are implemented using the hash table that maps keys\nto values. This update fixes the bug.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-01-17T00:00:00", "title": "Fedora 16 : rubygem-rack-1.3.0-2.fc16 (2012-0166)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-5036"], "modified": "2012-01-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:rubygem-rack", "cpe:/o:fedoraproject:fedora:16"], "id": "FEDORA_2012-0166.NASL", "href": "https://www.tenable.com/plugins/nessus/57563", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-0166.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57563);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-5036\");\n script_bugtraq_id(51197);\n script_xref(name:\"FEDORA\", value:\"2012-0166\");\n\n script_name(english:\"Fedora 16 : rubygem-rack-1.3.0-2.fc16 (2012-0166)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Julian Walde and Alexander Klink reported a flaw in the hash function\nused in the implementation of the Ruby-rack arrays (CVE-2011-5036).\nRuby-rack arrays are implemented using the hash table that maps keys\nto values. This update fixes the bug.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=771150\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-January/072051.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f177d1ac\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/01/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"rubygem-rack-1.3.0-2.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-rack\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:09:48", "description": "Julian Walde and Alexander Klink reported a flaw in the hash function\nused in the implementation of the Ruby-rack arrays (CVE-2011-5036).\nRuby-rack arrays are implemented using the hash table that maps keys\nto values. This update fixes the bug.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-01-17T00:00:00", "title": "Fedora 15 : rubygem-rack-1.1.0-4.fc15 (2012-0233)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-5036"], "modified": "2012-01-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:rubygem-rack", "cpe:/o:fedoraproject:fedora:15"], "id": "FEDORA_2012-0233.NASL", "href": "https://www.tenable.com/plugins/nessus/57564", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-0233.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57564);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-5036\");\n script_bugtraq_id(51197);\n script_xref(name:\"FEDORA\", value:\"2012-0233\");\n\n script_name(english:\"Fedora 15 : rubygem-rack-1.1.0-4.fc15 (2012-0233)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Julian Walde and Alexander Klink reported a flaw in the hash function\nused in the implementation of the Ruby-rack arrays (CVE-2011-5036).\nRuby-rack arrays are implemented using the hash table that maps keys\nto values. This update fixes the bug.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=771150\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-January/072063.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7dd53941\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:15\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/01/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^15([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 15.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC15\", reference:\"rubygem-rack-1.1.0-4.fc15\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-rack\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2020-11-11T13:27:23", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA-2783-2 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nOctober 24, 2013 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : librack-ruby\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-5036 CVE-2013-0183 CVE-2013-0184 CVE-2013-0263\nDebian Bug : 653963 698440 700226\n\nThe update of librack-ruby in DSA-2783-1 also addressed CVE-2013-0183.\nThe patch applied breaks rails applications like redmine (see Debian Bug\n#727187). Updated packages are available to address this problem.\n\nFor reference, the original advisory text follows:\n\nSeveral vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilites and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036\n\n Rack computes hash values for form parameters without restricting\n the ability to trigger hash collisions predictably, which allows\n remote attackers to cause a denial of service (CPU consumption)\n by sending many crafted parameters.\n\nCVE-2013-0184\n\n Vulnerability in Rack::Auth::AbstractRequest allows remote\n attackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263\n\n Rack::Session::Cookie allows remote attackers to guess the\n session cookie, gain privileges, and execute arbitrary code via a\n timing attack involving am HMAC comparison function that does not\n run in constant time.\n\nFor the oldstable distribution (squeeze), these problems have been fixed in\nversion 1.1.0-4+squeeze1.\n\nThe stable, testing and unstable distributions do not contain the\nlibrack-ruby package. They have already been addressed in version\n1.4.1-2.1 of the ruby-rack package.\n\nWe recommend that you upgrade your librack-ruby packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2013-10-24T19:29:57", "published": "2013-10-24T19:29:57", "id": "DEBIAN:DSA-2783-2:41A1A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00196.html", "title": "[SECURITY] [DSA 2783-2] librack-ruby regression update", "type": "debian", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-11T13:12:31", "bulletinFamily": "unix", "cvelist": ["CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2783-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nOctober 21, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : librack-ruby\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-5036 CVE-2013-0184 CVE-2013-0263\nDebian Bug : 653963 698440 700226\n\nSeveral vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilites and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036\n\n Rack computes hash values for form parameters without restricting\n the ability to trigger hash collisions predictably, which allows\n remote attackers to cause a denial of service (CPU consumption)\n by sending many crafted parameters. \n\nCVE-2013-0184\n\n Vulnerability in Rack::Auth::AbstractRequest allows remote\n attackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263\n\n Rack::Session::Cookie allows remote attackers to guess the\n session cookie, gain privileges, and execute arbitrary code via a\n timing attack involving am HMAC comparison function that does not\n run in constant time. \n\nFor the oldstable distribution (squeeze), these problems have been fixed in\nversion 1.1.0-4+squeeze1.\n\nThe stable, testing and unstable distributions do not contain the\nlibrack-ruby package. They have already been addressed in version\n1.4.1-2.1 of the ruby-rack package.\n\nWe recommend that you upgrade your librack-ruby packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2013-10-21T19:21:19", "published": "2013-10-21T19:21:19", "id": "DEBIAN:DSA-2783-1:70ED3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00194.html", "title": "[SECURITY] [DSA 2783-1] librack-ruby security update", "type": "debian", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:49", "bulletinFamily": "software", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- --------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2783-2 security@debian.org\r\nhttp://www.debian.org/security/ Salvatore Bonaccorso\r\nOctober 24, 2013 http://www.debian.org/security/faq\r\n- --------------------------------------------------------------------------\r\n\r\nPackage : librack-ruby\r\nVulnerability : several\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2011-5036 CVE-2013-0183 CVE-2013-0184 CVE-2013-0263\r\nDebian Bug : 653963 698440 700226\r\n\r\nThe update of librack-ruby in DSA-2783-1 also addressed CVE-2013-0183.\r\nThe patch applied breaks rails applications like redmine (see Debian Bug\r\n#727187). Updated packages are available to address this problem.\r\n\r\nFor reference, the original advisory text follows:\r\n\r\nSeveral vulnerabilities were discovered in Rack, a modular Ruby\r\nwebserver interface. The Common Vulnerabilites and Exposures project\r\nidentifies the following vulnerabilities:\r\n\r\nCVE-2011-5036\r\n\r\n Rack computes hash values for form parameters without restricting\r\n the ability to trigger hash collisions predictably, which allows\r\n remote attackers to cause a denial of service (CPU consumption)\r\n by sending many crafted parameters.\r\n\r\nCVE-2013-0184\r\n\r\n Vulnerability in Rack::Auth::AbstractRequest allows remote\r\n attackers to cause a denial of service via unknown vectors.\r\n\r\nCVE-2013-0263\r\n\r\n Rack::Session::Cookie allows remote attackers to guess the\r\n session cookie, gain privileges, and execute arbitrary code via a\r\n timing attack involving am HMAC comparison function that does not\r\n run in constant time.\r\n\r\nFor the oldstable distribution (squeeze), these problems have been fixed in\r\nversion 1.1.0-4+squeeze1.\r\n\r\nThe stable, testing and unstable distributions do not contain the\r\nlibrack-ruby package. They have already been addressed in version\r\n1.4.1-2.1 of the ruby-rack package.\r\n\r\nWe recommend that you upgrade your librack-ruby packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.15 (GNU/Linux)\r\n\r\niQIcBAEBCgAGBQJSaXS+AAoJEAVMuPMTQ89EmmEP/jR1XHtOt+qIbRe68DkmR3T+\r\nc13FpFVTh2Q2jGiPWtLeUox25Zr6XN3ZtOVlOXbJpJbT51rFqf5KeVU+2EO9bukA\r\n/UIvMmU7SNqE14vmCLBhhZfbjzlB7phtVtfqY2SMryeRW0KV8L2daljtSzJpb36D\r\nO6tRdCaS1O6LsNoCu4gV5o1j9sS7HenoG7f3zyXlPQvPOLkbqZoZseJkG5rlrFmu\r\nz8TYVxPLXalAOSYRa09ckJm9e5L91/zl3JXKbB4Amn/sjLrE/3aT0ipFX2FHNVCb\r\nIRIlyTRIcrfKzuPabGwf/HdJDKu3LqeoJXjc9OytT5XHoBzHyMRg3imI/evPInUB\r\nr0F14/mCZgI7R7HWRYL9YI7oI3M1SLXXoVjT04dZJWFkIuetypfeNAn7gmWE+B5K\r\niX8OqswZceOj9FTJuDxZAur9nowc9leDP9xXwlpa10z6N380ax3vrYRhXWwaW5io\r\ntuq5YTQN9tW3N2L0oDTmZQVCZFHqJMojEq/2rogAymBIp4TPvxrSEn0p9kHpfrur\r\n8+/QKYPmGXZ7SXXxlnPQDrqhFAcsobl62+obfuFXOquC+J+Snk5JJQ3I0on2qq4X\r\n6ZqfX4bA5IGnA2cohar5QpyE4QY0Rrc8EnylNkkZufLbhwin+eIYwHXz3Dbuj8uX\r\nPfBHzdV0zkVpegKYbiBw\r\n=HGaa\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2013-10-28T00:00:00", "published": "2013-10-28T00:00:00", "id": "SECURITYVULNS:DOC:29957", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29957", "title": "[SECURITY] [DSA 2783-2] librack-ruby regression update", "type": "securityvulns", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:53", "bulletinFamily": "software", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "DoS, code execution.", "edition": 1, "modified": "2013-10-28T00:00:00", "published": "2013-10-28T00:00:00", "id": "SECURITYVULNS:VULN:13370", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13370", "title": "Librack multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:11", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0262", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "description": "### Background\n\nRack is a modular Ruby web server interface.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Rack. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Rack 1.4 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-ruby/rack-1.4.5\"\n \n\nAll Rack 1.3 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-ruby/rack-1.3.10\"\n \n\nAll Rack 1.2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-ruby/rack-1.2.8\"\n \n\nAll Rack 1.1 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-ruby/rack-1.1.6\"", "edition": 1, "modified": "2014-05-17T00:00:00", "published": "2014-05-17T00:00:00", "id": "GLSA-201405-10", "href": "https://security.gentoo.org/glsa/201405-10", "type": "gentoo", "title": "Rack: Multiple vulnerabilities", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-06T19:46:01", "bulletinFamily": "unix", "cvelist": ["CVE-2011-5036"], "description": "### Background\n\nRack is a modular Ruby web server interface.\n\n### Description\n\nRack does not properly randomize hash functions to protect against hash collision attacks. \n\n### Impact\n\nA remote attacker could send a specially crafted form post, possibly resulting in a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Rack users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-ruby/rack-1.1.3\"", "edition": 1, "modified": "2012-03-06T00:00:00", "published": "2012-03-06T00:00:00", "id": "GLSA-201203-05", "href": "https://security.gentoo.org/glsa/201203-05", "type": "gentoo", "title": "Rack: Denial of Service", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "redhat": [{"lastseen": "2019-08-13T18:46:30", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5561", "CVE-2012-5603", "CVE-2012-6109", "CVE-2013-0162", "CVE-2013-0183", "CVE-2013-0184"], "description": "Red Hat Subscription Asset Manager acts as a proxy for handling\nsubscription information and software updates on client machines.\n\nIt was discovered that Katello did not properly check user permissions when\nhandling certain requests. An authenticated remote attacker could use this\nflaw to download consumer certificates or change settings of other users'\nsystems if they knew the target system's UUID. (CVE-2012-5603)\n\nIt was found that the\n\"/usr/share/katello/script/katello-generate-passphrase\" utility, which is\nrun during the installation and configuration process, set world-readable\npermissions on the \"/etc/katello/secure/passphrase\" file. A local attacker\ncould use this flaw to obtain the passphrase for Katello, giving them\naccess to information they would otherwise not have access to.\n(CVE-2012-5561)\n\nNote: After installing this update, ensure the\n\"/etc/katello/secure/passphrase\" file is owned by the root user and group\nand mode 0750 permissions. Sites should also consider re-creating the\nKatello passphrase as this issue exposed it to local users.\n\nThree flaws were found in rubygem-rack. A remote attacker could use these\nflaws to perform a denial of service attack against applications using\nrubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)\n\nIt was found that ruby_parser from rubygem-ruby_parser created a temporary\nfile in an insecure way. A local attacker could use this flaw to perform a\nsymbolic link attack, overwriting arbitrary files accessible to the\napplication using ruby_parser. (CVE-2013-0162)\n\nThe CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;\nCVE-2012-5561 was discovered by Aaron Weitekamp of the Red Hat Cloud\nQuality Engineering team; and CVE-2013-0162 was discovered by Michael\nScherer of the Red Hat Regional IT team.\n\nThese updated Subscription Asset Manager packages include a number of bug\nfixes and enhancements. Space precludes documenting all of these changes\nin this advisory. Refer to the Red Hat Subscription Asset Manager 1.2\nRelease Notes for information about these changes:\n\nhttps://access.redhat.com/knowledge/docs/en-US/Red_Hat_Subscription_Asset_Manager/1.2/html/Release_Notes/index.html\n\nAll users of Red Hat Subscription Asset Manager are advised to upgrade to\nthese updated packages, which fix these issues and add various\nenhancements.\n", "modified": "2018-06-07T09:01:04", "published": "2013-02-21T05:00:00", "id": "RHSA-2013:0544", "href": "https://access.redhat.com/errata/RHSA-2013:0544", "type": "redhat", "title": "(RHSA-2013:0544) Important: Subscription Asset Manager 1.2 update", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "suse": [{"lastseen": "2016-09-04T11:31:56", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695", "CVE-2012-6109", "CVE-2013-0156", "CVE-2013-0183", "CVE-2013-0155", "CVE-2013-0184", "CVE-2012-5664"], "description": "rubygem-merb-core has been updated to change the rack\n version dependency. Now any rack 1.1 version is accepted.\n\n This update needs to be installed in parallel with the\n 2.3.17 rails update.\n", "edition": 1, "modified": "2013-03-20T17:04:42", "published": "2013-03-20T17:04:42", "id": "SUSE-SU-2013:0508-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00040.html", "title": "Security update for rubygem-merb-core (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "github": [{"lastseen": "2020-03-10T23:26:17", "bulletinFamily": "software", "cvelist": ["CVE-2012-6109"], "description": "lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.", "edition": 2, "modified": "2019-07-03T21:02:00", "published": "2017-10-24T18:33:37", "id": "GHSA-H77X-M5Q8-C29H", "href": "https://github.com/advisories/GHSA-h77x-m5q8-c29h", "title": "Moderate severity vulnerability that affects rack", "type": "github", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-10T23:26:17", "bulletinFamily": "software", "cvelist": ["CVE-2013-0183"], "description": "multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet.", "edition": 2, "modified": "2019-07-03T21:02:00", "published": "2017-10-24T18:33:37", "id": "GHSA-3PXH-H8HW-MJ8W", "href": "https://github.com/advisories/GHSA-3pxh-h8hw-mj8w", "title": "Moderate severity vulnerability that affects rack", "type": "github", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:54", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4838", "CVE-2011-5036", "CVE-2011-5037", "CVE-2011-4815"], "description": "\noCERT reports:\n\nA variety of programming languages suffer from a denial-of-service\n\t (DoS) condition against storage functions of key/value pairs in\n\t hash data structures, the condition can be leveraged by exploiting\n\t predictable collisions in the underlying hashing algorithms.\nThe issue finds particular exposure in web server applications\n\t and/or frameworks. In particular, the lack of sufficient limits\n\t for the number of parameters in POST requests in conjunction with\n\t the predictable collision properties in the hashing functions of\n\t the underlying languages can render web applications vulnerable\n\t to the DoS condition. The attacker, using specially crafted HTTP\n\t requests, can lead to a 100% of CPU usage which can last up to\n\t several hours depending on the targeted application and server\n\t performance, the amplification effect is considerable and\n\t requires little bandwidth and time on the attacker side.\nThe condition for predictable collisions in the hashing functions\n\t has been reported for the following language implementations:\n\t Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the\n\t Ruby language, the 1.9.x branch is not affected by the\n\t predictable collision condition since this version includes a\n\t randomization of the hashing function.\nThe vulnerability outlined in this advisory is practically\n\t identical to the one reported in 2003 and described in the paper\n\t Denial of Service via Algorithmic Complexity Attacks which\n\t affected the Perl language.\n\n", "edition": 4, "modified": "2012-01-20T00:00:00", "published": "2011-12-28T00:00:00", "id": "91BE81E7-3FEA-11E1-AFC7-2C4138874F7D", "href": "https://vuxml.freebsd.org/freebsd/91be81e7-3fea-11e1-afc7-2c4138874f7d.html", "title": "Multiple implementations -- DoS via hash algorithm collision", "type": "freebsd", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}