Search...

Fedora Update for rubygem-rack FEDORA-2013-2306

2013-05-09T00:00:00

ID OPENVAS:1361412562310865607
Type openvas
Reporter Copyright (c) 2013 Greenbone Networks GmbH
Modified 2019-03-15T00:00:00

Description

The remote host is missing an update for the

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for rubygem-rack FEDORA-2013-2306
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.865607");
  script_version("$Revision: 14223 $");
  script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
  script_tag(name:"creation_date", value:"2013-05-09 10:21:33 +0530 (Thu, 09 May 2013)");
  script_cve_id("CVE-2013-0262", "CVE-2013-0263", "CVE-2011-6109", "CVE-2013-0183", "CVE-2013-0184");
  script_tag(name:"cvss_base", value:"5.1");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_name("Fedora Update for rubygem-rack FEDORA-2013-2306");
  script_xref(name:"FEDORA", value:"2013-2306");
  script_xref(name:"URL", value:"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104672.html");
  script_tag(name:"summary", value:"The remote host is missing an update for the 'rubygem-rack'
  package(s) announced via the referenced advisory.");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (c) 2013 Greenbone Networks GmbH");
  script_family("Fedora Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC18");
  script_tag(name:"affected", value:"rubygem-rack on Fedora 18");
  script_tag(name:"solution", value:"Please install the updated package(s).");
  script_tag(name:"qod_type", value:"package");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";

if(release == "FC18")
{

  if ((res = isrpmvuln(pkg:"rubygem-rack", rpm:"rubygem-rack~1.4.0~5.fc18", rls:"FC18")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if (__pkg_match) exit(99);
  exit(0);
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310865607", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for rubygem-rack FEDORA-2013-2306", "description": "The remote host is missing an update for the ", "published": "2013-05-09T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865607", "reporter": "Copyright (c) 2013 Greenbone Networks GmbH", "references": ["http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104672.html", "2013-2306"], "cvelist": ["CVE-2011-6109", "CVE-2013-0262", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "lastseen": "2019-05-29T18:37:59", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310892783", "OPENVAS:865604", "OPENVAS:1361412562310121185", "OPENVAS:865250", "OPENVAS:865607", "OPENVAS:892783", "OPENVAS:1361412562310865243", "OPENVAS:865243", "OPENVAS:1361412562310865250", "OPENVAS:1361412562310865604"]}, {"type": "cve", "idList": ["CVE-2013-0184", "CVE-2013-2306", "CVE-2013-0183", "CVE-2013-0263", "CVE-2013-0262"]}, {"type": "nessus", "idList": ["FEDORA_2013-0896.NASL", "FEDORA_2013-2315.NASL", "FEDORA_2013-2306.NASL", "OPENSUSE-2013-152.NASL", "FEDORA_2013-0861.NASL", "GENTOO_GLSA-201405-10.NASL", "REDHAT-RHSA-2013-0638.NASL", "FREEBSD_PKG_FCFDABB7F14D4E61A7D5CFEFB4B99B15.NASL", "DEBIAN_DSA-2783.NASL", "FEDORA_2013-0837.NASL"]}, {"type": "gentoo", "idList": ["GLSA-201405-10"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13370", "SECURITYVULNS:DOC:29957"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2783-1:70ED3", "DEBIAN:DSA-2783-2:41A1A"]}, {"type": "freebsd", "idList": ["FCFDABB7-F14D-4E61-A7D5-CFEFB4B99B15"]}, {"type": "github", "idList": ["GHSA-3PXH-H8HW-MJ8W", "GHSA-85R7-W5MV-C849"]}, {"type": "redhat", "idList": ["RHSA-2013:0638", "RHSA-2013:0544", "RHSA-2013:0686"]}, {"type": "suse", "idList": ["SUSE-SU-2013:0508-1"]}], "modified": "2019-05-29T18:37:59", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2019-05-29T18:37:59", "rev": 2}, "vulnersScore": 6.9}, "pluginID": "1361412562310865607", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-2306\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.865607\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-09 10:21:33 +0530 (Thu, 09 May 2013)\");\n script_cve_id(\"CVE-2013-0262\", \"CVE-2013-0263\", \"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-2306\");\n script_xref(name:\"FEDORA\", value:\"2013-2306\");\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104672.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-rack'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n script_tag(name:\"affected\", value:\"rubygem-rack on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~5.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks"}

{"openvas": [{"lastseen": "2019-05-29T18:37:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2013-0262", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-05-09T00:00:00", "id": "OPENVAS:1361412562310865604", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865604", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-2315", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-2315\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.865604\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-09 10:21:17 +0530 (Thu, 09 May 2013)\");\n script_cve_id(\"CVE-2013-0262\", \"CVE-2013-0263\", \"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-2315\");\n script_xref(name:\"FEDORA\", value:\"2013-2315\");\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104668.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-rack'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"rubygem-rack on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~4.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-25T10:51:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2013-0262", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "description": "Check for the Version of rubygem-rack", "modified": "2017-07-10T00:00:00", "published": "2013-05-09T00:00:00", "id": "OPENVAS:865607", "href": "http://plugins.openvas.org/nasl.php?oid=865607", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-2306", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-2306\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rubygem-rack on Fedora 18\";\ntag_insight = \"Rack provides a common API for connecting web frameworks,\n web servers and layers of software in between\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(865607);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-09 10:21:33 +0530 (Thu, 09 May 2013)\");\n script_cve_id(\"CVE-2013-0262\", \"CVE-2013-0263\", \"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-2306\");\n\n script_xref(name: \"FEDORA\", value: \"2013-2306\");\n script_xref(name: \"URL\" , value: \"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104672.html\");\n script_summary(\"Check for the Version of rubygem-rack\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~5.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:51:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2013-0262", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "description": "Check for the Version of rubygem-rack", "modified": "2017-07-10T00:00:00", "published": "2013-05-09T00:00:00", "id": "OPENVAS:865604", "href": "http://plugins.openvas.org/nasl.php?oid=865604", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-2315", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-2315\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rubygem-rack on Fedora 17\";\ntag_insight = \"Rack provides a common API for connecting web frameworks,\n web servers and layers of software in between\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(865604);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-09 10:21:17 +0530 (Thu, 09 May 2013)\");\n script_cve_id(\"CVE-2013-0262\", \"CVE-2013-0263\", \"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-2315\");\n\n script_xref(name: \"FEDORA\", value: \"2013-2315\");\n script_xref(name: \"URL\" , value: \"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104668.html\");\n script_summary(\"Check for the Version of rubygem-rack\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~4.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:36:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0262", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "description": "Gentoo Linux Local Security Checks GLSA 201405-10", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121185", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121185", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201405-10", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201405-10.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121185\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:27:10 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201405-10\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in Rack. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201405-10\");\n script_cve_id(\"CVE-2012-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2013-0262\", \"CVE-2013-0263\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201405-10\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"dev-ruby/rack\", unaffected: make_list(\"ge 1.4.5\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"dev-ruby/rack\", unaffected: make_list(\"ge 1.3.10\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"dev-ruby/rack\", unaffected: make_list(\"ge 1.2.8\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"dev-ruby/rack\", unaffected: make_list(\"ge 1.1.6\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"dev-ruby/rack\", unaffected: make_list(), vulnerable: make_list(\"lt 1.4.5\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-10-30T10:50:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilities and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036 \nRack computes hash values for form parameters without restricting\nthe ability to trigger hash collisions predictably, which allows\nremote attackers to cause a denial of service (CPU consumption)\nby sending many crafted parameters.\n\nCVE-2013-0183 \nA remote attacker could cause a denial of service (memory\nconsumption and out-of-memory error) via a long string in a\nMultipart HTTP packet.\n\nCVE-2013-0184 \nA vulnerability in Rack::Auth::AbstractRequest allows remote\nattackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263 \nRack::Session::Cookie allows remote attackers to guess the\nsession cookie, gain privileges, and execute arbitrary code via a\ntiming attack involving an HMAC comparison function that does not\nrun in constant time.", "modified": "2017-10-26T00:00:00", "published": "2013-10-21T00:00:00", "id": "OPENVAS:892783", "href": "http://plugins.openvas.org/nasl.php?oid=892783", "type": "openvas", "title": "Debian Security Advisory DSA 2783-1 (librack-ruby - several vulnerabilities)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2783.nasl 7585 2017-10-26 15:03:01Z cfischer $\n# Auto-generated from advisory DSA 2783-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"librack-ruby on Debian Linux\";\ntag_insight = \"Rack provides a minimal, modular and adaptable interface for\ndeveloping web applications in Ruby. By wrapping HTTP requests and\nresponses in the simplest way possible, it unifies and distills the\nAPI for web servers, web frameworks, and software in between (the\nso-called middleware) into a single method call.\";\ntag_solution = \"For the oldstable distribution (squeeze), these problems have been fixed in\nversion 1.1.0-4+squeeze1.\n\nThe stable, testing and unstable distributions do not contain the\nlibrack-ruby package. They have already been addressed in version\n1.4.1-2.1 of the ruby-rack package.\n\nWe recommend that you upgrade your librack-ruby packages.\";\ntag_summary = \"Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilities and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036 \nRack computes hash values for form parameters without restricting\nthe ability to trigger hash collisions predictably, which allows\nremote attackers to cause a denial of service (CPU consumption)\nby sending many crafted parameters.\n\nCVE-2013-0183 \nA remote attacker could cause a denial of service (memory\nconsumption and out-of-memory error) via a long string in a\nMultipart HTTP packet.\n\nCVE-2013-0184 \nA vulnerability in Rack::Auth::AbstractRequest allows remote\nattackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263 \nRack::Session::Cookie allows remote attackers to guess the\nsession cookie, gain privileges, and execute arbitrary code via a\ntiming attack involving an HMAC comparison function that does not\nrun in constant time.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(892783);\n script_version(\"$Revision: 7585 $\");\n script_cve_id(\"CVE-2011-5036\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2013-0263\");\n script_name(\"Debian Security Advisory DSA 2783-1 (librack-ruby - several vulnerabilities)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-10-26 17:03:01 +0200 (Thu, 26 Oct 2017) $\");\n script_tag(name: \"creation_date\", value:\"2013-10-21 00:00:00 +0200 (Mon, 21 Oct 2013)\");\n script_tag(name: \"cvss_base\", value:\"5.1\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2783.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"librack-ruby\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"librack-ruby1.8\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"librack-ruby1.9.1\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:37:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilities and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036\nRack computes hash values for form parameters without restricting\nthe ability to trigger hash collisions predictably, which allows\nremote attackers to cause a denial of service (CPU consumption)\nby sending many crafted parameters.\n\nCVE-2013-0183\nA remote attacker could cause a denial of service (memory\nconsumption and out-of-memory error) via a long string in a\nMultipart HTTP packet.\n\nCVE-2013-0184\nA vulnerability in Rack::Auth::AbstractRequest allows remote\nattackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263\nRack::Session::Cookie allows remote attackers to guess the\nsession cookie, gain privileges, and execute arbitrary code via a\ntiming attack involving an HMAC comparison function that does not\nrun in constant time.", "modified": "2019-03-18T00:00:00", "published": "2013-10-21T00:00:00", "id": "OPENVAS:1361412562310892783", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892783", "type": "openvas", "title": "Debian Security Advisory DSA 2783-1 (librack-ruby - several vulnerabilities)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2783.nasl 14276 2019-03-18 14:43:56Z cfischer $\n# Auto-generated from advisory DSA 2783-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892783\");\n script_version(\"$Revision: 14276 $\");\n script_cve_id(\"CVE-2011-5036\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2013-0263\");\n script_name(\"Debian Security Advisory DSA 2783-1 (librack-ruby - several vulnerabilities)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:43:56 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-21 00:00:00 +0200 (Mon, 21 Oct 2013)\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2013/dsa-2783.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB6\");\n script_tag(name:\"affected\", value:\"librack-ruby on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (squeeze), these problems have been fixed in\nversion 1.1.0-4+squeeze1.\n\nThe stable, testing and unstable distributions do not contain the\nlibrack-ruby package. They have already been addressed in version\n1.4.1-2.1 of the ruby-rack package.\n\nWe recommend that you upgrade your librack-ruby packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilities and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036\nRack computes hash values for form parameters without restricting\nthe ability to trigger hash collisions predictably, which allows\nremote attackers to cause a denial of service (CPU consumption)\nby sending many crafted parameters.\n\nCVE-2013-0183\nA remote attacker could cause a denial of service (memory\nconsumption and out-of-memory error) via a long string in a\nMultipart HTTP packet.\n\nCVE-2013-0184\nA vulnerability in Rack::Auth::AbstractRequest allows remote\nattackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263\nRack::Session::Cookie allows remote attackers to guess the\nsession cookie, gain privileges, and execute arbitrary code via a\ntiming attack involving an HMAC comparison function that does not\nrun in constant time.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"librack-ruby\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"librack-ruby1.8\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"librack-ruby1.9.1\", ver:\"1.1.0-4+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-01-28T00:00:00", "id": "OPENVAS:1361412562310865243", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865243", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-0837", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-0837\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097518.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865243\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-28 09:33:40 +0530 (Mon, 28 Jan 2013)\");\n script_cve_id(\"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2012-6109\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2013-0837\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-0837\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-rack'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n script_tag(name:\"affected\", value:\"rubygem-rack on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~4.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2018-01-18T11:09:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "Check for the Version of rubygem-rack", "modified": "2018-01-18T00:00:00", "published": "2013-01-28T00:00:00", "id": "OPENVAS:865243", "href": "http://plugins.openvas.org/nasl.php?oid=865243", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-0837", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-0837\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rubygem-rack on Fedora 18\";\ntag_insight = \"Rack provides a common API for connecting web frameworks,\n web servers and layers of software in between\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097518.html\");\n script_id(865243);\n script_version(\"$Revision: 8456 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-18 07:58:40 +0100 (Thu, 18 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-28 09:33:40 +0530 (Mon, 28 Jan 2013)\");\n script_cve_id(\"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2012-6109\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2013-0837\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-0837\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of rubygem-rack\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~4.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:51:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "Check for the Version of rubygem-rack", "modified": "2017-07-10T00:00:00", "published": "2013-01-28T00:00:00", "id": "OPENVAS:865250", "href": "http://plugins.openvas.org/nasl.php?oid=865250", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-0861", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-0861\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rubygem-rack on Fedora 17\";\ntag_insight = \"Rack provides a common API for connecting web frameworks,\n web servers and layers of software in between\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097523.html\");\n script_id(865250);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-28 09:34:23 +0530 (Mon, 28 Jan 2013)\");\n script_cve_id(\"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2012-6109\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2013-0861\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-0861\");\n\n script_summary(\"Check for the Version of rubygem-rack\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~3.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:37:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-01-28T00:00:00", "id": "OPENVAS:1361412562310865250", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865250", "type": "openvas", "title": "Fedora Update for rubygem-rack FEDORA-2013-0861", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-rack FEDORA-2013-0861\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097523.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865250\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-28 09:34:23 +0530 (Mon, 28 Jan 2013)\");\n script_cve_id(\"CVE-2011-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2012-6109\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2013-0861\");\n script_name(\"Fedora Update for rubygem-rack FEDORA-2013-0861\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-rack'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"rubygem-rack on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-rack\", rpm:\"rubygem-rack~1.4.0~3.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-6109", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0262", "CVE-2013-0263"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2013-05-07T18:29:19", "published": "2013-05-07T18:29:19", "id": "FEDORA:724CE206A4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: rubygem-rack-1.4.0-4.fc17", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-6109", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0262", "CVE-2013-0263"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2013-05-07T18:33:02", "published": "2013-05-07T18:33:02", "id": "FEDORA:347A92074D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: rubygem-rack-1.4.0-5.fc18", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2013-01-25T21:44:01", "published": "2013-01-25T21:44:01", "id": "FEDORA:4D80520F46", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: rubygem-rack-1.4.0-3.fc17", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2013-01-25T21:37:50", "published": "2013-01-25T21:37:50", "id": "FEDORA:7A4F420891", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: rubygem-rack-1.4.0-4.fc18", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-5036", "CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "description": "Rack provides a common API for connecting web frameworks, web servers and layers of software in between ", "modified": "2013-01-25T21:34:26", "published": "2013-01-25T21:34:26", "id": "FEDORA:47B6420F0B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: rubygem-rack-1.3.0-3.fc16", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2020-10-03T12:45:53", "description": "rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka \"symlink path traversals.\"", "edition": 3, "cvss3": {}, "published": "2013-02-08T20:55:00", "title": "CVE-2013-0262", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0262"], "modified": "2018-08-13T21:47:00", "cpe": ["cpe:/a:rack_project:rack:1.4.4", "cpe:/a:rack_project:rack:1.4.3", "cpe:/a:rack_project:rack:1.4.0", "cpe:/a:rack_project:rack:1.4.2", "cpe:/a:rack_project:rack:1.5.0", "cpe:/a:rack_project:rack:1.5.1", "cpe:/a:rack_project:rack:1.4.1"], "id": "CVE-2013-0262", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0262", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.5.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:45:53", "description": "Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to \"symbolized arbitrary strings.\"", "edition": 3, "cvss3": {}, "published": "2013-03-01T05:40:00", "title": "CVE-2013-0184", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0184"], "modified": "2013-10-31T03:30:00", "cpe": ["cpe:/a:rack_project:rack:1.2.0", "cpe:/a:rack_project:rack:1.3.5", "cpe:/a:rack_project:rack:1.2.2", "cpe:/a:rack_project:rack:1.3.2", "cpe:/a:rack_project:rack:1.2.6", "cpe:/a:rack_project:rack:1.4.3", "cpe:/a:rack_project:rack:1.3.7", "cpe:/a:rack_project:rack:1.1.0", "cpe:/a:rack_project:rack:1.2.3", "cpe:/a:rack_project:rack:1.1.4", "cpe:/a:rack_project:rack:1.3.8", "cpe:/a:rack_project:rack:1.2.1", "cpe:/a:rack_project:rack:1.4.0", "cpe:/a:rack_project:rack:1.1.3", "cpe:/a:rack_project:rack:1.1.2", "cpe:/a:rack_project:rack:1.4.2", "cpe:/a:rack_project:rack:1.3.0", "cpe:/a:rack_project:rack:1.3.4", "cpe:/a:rack_project:rack:1.4.1", "cpe:/a:rack_project:rack:1.3.3", "cpe:/a:rack_project:rack:1.3.6", "cpe:/a:rack_project:rack:1.2.4", "cpe:/a:rack_project:rack:1.3.1"], "id": "CVE-2013-0184", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0184", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:45:53", "description": "Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.", "edition": 3, "cvss3": {}, "published": "2013-02-08T20:55:00", "title": "CVE-2013-0263", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0263"], "modified": "2018-08-13T21:47:00", "cpe": ["cpe:/a:rack_project:rack:1.4.4", "cpe:/a:rack_project:rack:1.2.0", "cpe:/a:rack_project:rack:1.3.5", "cpe:/a:rack_project:rack:1.2.2", "cpe:/a:rack_project:rack:1.3.2", "cpe:/a:rack_project:rack:1.2.6", "cpe:/a:rack_project:rack:1.4.3", "cpe:/a:rack_project:rack:1.3.7", "cpe:/a:rack_project:rack:1.1.0", "cpe:/a:rack_project:rack:1.1.6", "cpe:/a:rack_project:rack:1.2.3", "cpe:/a:rack_project:rack:1.2.7", "cpe:/a:rack_project:rack:1.1.4", "cpe:/a:rack_project:rack:1.3.8", "cpe:/a:rack_project:rack:1.2.1", "cpe:/a:rack_project:rack:1.4.0", "cpe:/a:rack_project:rack:1.4.2", "cpe:/a:rack_project:rack:1.3.0", "cpe:/a:rack_project:rack:1.5.0", "cpe:/a:rack_project:rack:1.5.1", "cpe:/a:rack_project:rack:1.3.4", "cpe:/a:rack_project:rack:1.4.1", "cpe:/a:rack_project:rack:1.3.3", "cpe:/a:rack_project:rack:1.3.9", "cpe:/a:rack_project:rack:1.3.6", "cpe:/a:rack_project:rack:1.2.4", "cpe:/a:rack_project:rack:1.3.1", "cpe:/a:rack_project:rack:1.1.5"], "id": "CVE-2013-0263", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0263", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:45:53", "description": "multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet.", "edition": 3, "cvss3": {}, "published": "2013-03-01T05:40:00", "title": "CVE-2013-0183", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0183"], "modified": "2018-08-13T21:47:00", "cpe": ["cpe:/a:rack_project:rack:1.3.5", "cpe:/a:rack_project:rack:1.3.2", "cpe:/a:rack_project:rack:1.3.7", "cpe:/a:rack_project:rack:1.4.0", "cpe:/a:rack_project:rack:1.4.2", "cpe:/a:rack_project:rack:1.3.0", "cpe:/a:rack_project:rack:1.3.4", "cpe:/a:rack_project:rack:1.4.1", "cpe:/a:rack_project:rack:1.3.3", "cpe:/a:rack_project:rack:1.3.6", "cpe:/a:rack_project:rack:1.3.1"], "id": "CVE-2013-0183", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0183", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*"]}], "gentoo": [{"lastseen": "2016-09-06T19:46:11", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0262", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "description": "### Background\n\nRack is a modular Ruby web server interface.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Rack. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Rack 1.4 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-ruby/rack-1.4.5\"\n \n\nAll Rack 1.3 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-ruby/rack-1.3.10\"\n \n\nAll Rack 1.2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-ruby/rack-1.2.8\"\n \n\nAll Rack 1.1 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-ruby/rack-1.1.6\"", "edition": 1, "modified": "2014-05-17T00:00:00", "published": "2014-05-17T00:00:00", "id": "GLSA-201405-10", "href": "https://security.gentoo.org/glsa/201405-10", "type": "gentoo", "title": "Rack: Multiple vulnerabilities", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-07T10:55:43", "description": "The remote host is affected by the vulnerability described in GLSA-201405-10\n(Rack: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Rack. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, or obtain\n sensitive information.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 21, "published": "2014-05-19T00:00:00", "title": "GLSA-201405-10 : Rack: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0262", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184", "CVE-2013-0263"], "modified": "2014-05-19T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:rack", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201405-10.NASL", "href": "https://www.tenable.com/plugins/nessus/74053", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201405-10.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74053);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2013-0262\", \"CVE-2013-0263\");\n script_bugtraq_id(57860, 57862, 58767, 58768, 58769);\n script_xref(name:\"GLSA\", value:\"201405-10\");\n\n script_name(english:\"GLSA-201405-10 : Rack: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201405-10\n(Rack: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Rack. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, or obtain\n sensitive information.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201405-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Rack 1.4 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-ruby/rack-1.4.5'\n All Rack 1.3 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-ruby/rack-1.3.10'\n All Rack 1.2 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-ruby/rack-1.2.8'\n All Rack 1.1 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-ruby/rack-1.1.6'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-ruby/rack\", unaffected:make_list(\"ge 1.4.5\", \"rge 1.3.10\", \"rge 1.2.8\", \"rge 1.1.6\"), vulnerable:make_list(\"lt 1.4.5\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Rack\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:48:11", "description": "Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilites and Exposures project\nidentifies the following vulnerabilities :\n\n - CVE-2011-5036\n Rack computes hash values for form parameters without\n restricting the ability to trigger hash collisions\n predictably, which allows remote attackers to cause a\n denial of service (CPU consumption) by sending many\n crafted parameters.\n\n - CVE-2013-0183\n A remote attacker could cause a denial of service\n (memory consumption and out-of-memory error) via a long\n string in a Multipart HTTP packet.\n\n - CVE-2013-0184\n A vulnerability in Rack::Auth::AbstractRequest allows\n remote attackers to cause a denial of service via\n unknown vectors.\n\n - CVE-2013-0263\n Rack::Session::Cookie allows remote attackers to guess\n the session cookie, gain privileges, and execute\n arbitrary code via a timing attack involving an HMAC\n comparison function that does not run in constant time.", "edition": 16, "published": "2013-10-22T00:00:00", "title": "Debian DSA-2783-1 : librack-ruby - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "modified": "2013-10-22T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:librack-ruby"], "id": "DEBIAN_DSA-2783.NASL", "href": "https://www.tenable.com/plugins/nessus/70534", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2783. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(70534);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-5036\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2013-0263\");\n script_bugtraq_id(51197, 57860, 58769);\n script_xref(name:\"DSA\", value:\"2783\");\n\n script_name(english:\"Debian DSA-2783-1 : librack-ruby - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilites and Exposures project\nidentifies the following vulnerabilities :\n\n - CVE-2011-5036\n Rack computes hash values for form parameters without\n restricting the ability to trigger hash collisions\n predictably, which allows remote attackers to cause a\n denial of service (CPU consumption) by sending many\n crafted parameters.\n\n - CVE-2013-0183\n A remote attacker could cause a denial of service\n (memory consumption and out-of-memory error) via a long\n string in a Multipart HTTP packet.\n\n - CVE-2013-0184\n A vulnerability in Rack::Auth::AbstractRequest allows\n remote attackers to cause a denial of service via\n unknown vectors.\n\n - CVE-2013-0263\n Rack::Session::Cookie allows remote attackers to guess\n the session cookie, gain privileges, and execute\n arbitrary code via a timing attack involving an HMAC\n comparison function that does not run in constant time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653963\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698440\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700226\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-5036\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2013-0183\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2013-0184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2013-0263\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/librack-ruby\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2013/dsa-2783\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the librack-ruby packages.\n\nFor the oldstable distribution (squeeze), these problems have been\nfixed in version 1.1.0-4+squeeze1.\n\nThe stable, testing and unstable distributions do not contain the\nlibrack-ruby package. They have already been addressed in version\n1.4.1-2.1 of the ruby-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:librack-ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"librack-ruby\", reference:\"1.1.0-4+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"librack-ruby1.8\", reference:\"1.1.0-4+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"librack-ruby1.9.1\", reference:\"1.1.0-4+squeeze1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:10:48", "description": "Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2013-01-28T00:00:00", "title": "Fedora 18 : rubygem-rack-1.4.0-4.fc18 (2013-0837)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "modified": "2013-01-28T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:rubygem-rack"], "id": "FEDORA_2013-0837.NASL", "href": "https://www.tenable.com/plugins/nessus/64251", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0837.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64251);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_xref(name:\"FEDORA\", value:\"2013-0837\");\n\n script_name(english:\"Fedora 18 : rubygem-rack-1.4.0-4.fc18 (2013-0837)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895282\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895384\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097518.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8c3f85b7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"rubygem-rack-1.4.0-4.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-rack\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:10:49", "description": "Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2013-01-28T00:00:00", "title": "Fedora 16 : rubygem-rack-1.3.0-3.fc16 (2013-0896)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "modified": "2013-01-28T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:rubygem-rack", "cpe:/o:fedoraproject:fedora:16"], "id": "FEDORA_2013-0896.NASL", "href": "https://www.tenable.com/plugins/nessus/64254", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0896.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64254);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_xref(name:\"FEDORA\", value:\"2013-0896\");\n\n script_name(english:\"Fedora 16 : rubygem-rack-1.3.0-3.fc16 (2013-0896)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895282\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895384\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097501.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5c6c3360\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"rubygem-rack-1.3.0-3.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-rack\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:10:48", "description": "Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2013-01-28T00:00:00", "title": "Fedora 17 : rubygem-rack-1.4.0-3.fc17 (2013-0861)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-6109", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0184"], "modified": "2013-01-28T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:rubygem-rack", "cpe:/o:fedoraproject:fedora:17"], "id": "FEDORA_2013-0861.NASL", "href": "https://www.tenable.com/plugins/nessus/64253", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0861.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64253);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\");\n script_xref(name:\"FEDORA\", value:\"2013-0861\");\n\n script_name(english:\"Fedora 17 : rubygem-rack-1.4.0-3.fc17 (2013-0861)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895282\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895384\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097523.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?08b0180e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"rubygem-rack-1.4.0-3.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-rack\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-20T12:26:12", "description": "The Ruby on Rails 2.3 stack was updated to 2.3.17. The Ruby on Rails\n3.2 stack was updated to 3.2.12.\n\nThe Ruby Rack was updated to 1.1.6. The Ruby Rack was\nupdated to 1.2.8. The Ruby Rack was updated to 1.3.10. The\nRuby Rack was updated to 1.4.5.\n\nThe updates fix various security issues and bugs.\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276:\n issue with attr_protected where malformed input could\n circumvent protection\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - Fix issue with attr_protected where malformed input\n could circumvent protection\n\n - Fix Serialized Attributes YAML Vulnerability\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - Fix issue with attr_protected where malformed input\n could circumvent protection\n\n - Fix Serialized Attributes YAML Vulnerability\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :\n\n - Quote numeric values being compared to non-numeric\n columns. Otherwise, in some database, the string column\n values will be coerced to a numeric allowing 0, 0.0 or\n false to match any string starting with a non-digit.\n\n - update to 1.1.6 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - update to 1.2.8 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - update to 1.3.10 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - ruby rack update to 1.4.5 (bnc#802794 bnc#802795)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - Fix CVE-2013-0262, symlink path traversal in Rack::File\n\n - ruby rack update to 1.4.4 (bnc#798452)\n\n - [SEC] Rack::Auth::AbstractRequest no longer symbolizes\n arbitrary strings (CVE-2013-0184)\n\n - ruby rack changes from 1.4.3\n\n - Security: Prevent unbounded reads in large multipart\n boundaries (CVE-2013-0183)\n\n - ruby rack changes from 1.4.2 (CVE-2012-6109)\n\n - Add warnings when users do not provide a session secret\n\n - Fix parsing performance for unquoted filenames\n\n - Updated URI backports\n\n - Fix URI backport version matching, and silence constant\n warnings\n\n - Correct parameter parsing with empty values\n\n - Correct rackup '-I' flag, to allow multiple uses\n\n - Correct rackup pidfile handling\n\n - Report rackup line numbers correctly\n\n - Fix request loops caused by non-stale nonces with time\n limits\n\n - Fix reloader on Windows\n\n - Prevent infinite recursions from Response#to_ary\n\n - Various middleware better conforms to the body close\n specification\n\n - Updated language for the body close specification\n\n - Additional notes regarding ECMA escape compatibility\n issues\n\n - Fix the parsing of multiple ranges in range headers\n\n - Prevent errors from empty parameter keys\n\n - Added PATCH verb to Rack::Request\n\n - Various documentation updates\n\n - Fix session merge semantics (fixes rack-test)\n\n - Rack::Static :index can now handle multiple directories\n\n - All tests now utilize Rack::Lint (special thanks to Lars\n Gierth)\n\n - Rack::File cache_control parameter is now deprecated,\n and removed by 1.5\n\n - Correct Rack::Directory script name escaping\n\n - Rack::Static supports header rules for sophisticated\n configurations\n\n - Multipart parsing now works without a Content-Length\n header\n\n - New logos courtesy of Zachary Scott!\n\n - Rack::BodyProxy now explicitly defines #each, useful for\n C extensions\n\n - Cookies that are not URI escaped no longer cause\n exceptions", "edition": 20, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : RubyOnRails (openSUSE-SU-2013:0338-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0276", "CVE-2013-0262", "CVE-2012-6109", "CVE-2013-0183", "CVE-2013-0277", "CVE-2013-0184", "CVE-2013-0263"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:rubygem-rails", "p-cpe:/a:novell:opensuse:rubygem-activesupport-3_2", "p-cpe:/a:novell:opensuse:rubygem-rack-1_1", "p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3", "p-cpe:/a:novell:opensuse:rubygem-actionmailer", "p-cpe:/a:novell:opensuse:rubygem-actionpack", "p-cpe:/a:novell:opensuse:rubygem-actionmailer-2_3-testsuite", "p-cpe:/a:novell:opensuse:rubygem-actionpack-3_2", "cpe:/o:novell:opensuse:12.1", "p-cpe:/a:novell:opensuse:rubygem-rack-1_1-testsuite", "p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3-testsuite", "p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3", "p-cpe:/a:novell:opensuse:rubygem-rails-2_3", "p-cpe:/a:novell:opensuse:rubygem-rack-1_2-testsuite", "p-cpe:/a:novell:opensuse:rubygem-activesupport", "p-cpe:/a:novell:opensuse:rubygem-activeresource", "p-cpe:/a:novell:opensuse:rubygem-rails-3_2", "p-cpe:/a:novell:opensuse:rubygem-activeresource-3_2", "p-cpe:/a:novell:opensuse:rubygem-railties-3_2", "p-cpe:/a:novell:opensuse:rubygem-activemodel-3_2", "p-cpe:/a:novell:opensuse:rubygem-activeresource-2_3-testsuite", "p-cpe:/a:novell:opensuse:rubygem-rack-1_3-testsuite", "p-cpe:/a:novell:opensuse:rubygem-activeresource-2_3", "p-cpe:/a:novell:opensuse:rubygem-actionmailer-2_3", "p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3-testsuite", "p-cpe:/a:novell:opensuse:rubygem-rack-1_3", "p-cpe:/a:novell:opensuse:rubygem-rack-1_2", "p-cpe:/a:novell:opensuse:rubygem-actionmailer-3_2", "p-cpe:/a:novell:opensuse:rubygem-rack-1_4-testsuite", "p-cpe:/a:novell:opensuse:rubygem-activesupport-2_3", "p-cpe:/a:novell:opensuse:rubygem-activerecord", "p-cpe:/a:novell:opensuse:rubygem-rack-1_4", "cpe:/o:novell:opensuse:12.2", "p-cpe:/a:novell:opensuse:rubygem-activerecord-3_2"], "id": "OPENSUSE-2013-152.NASL", "href": "https://www.tenable.com/plugins/nessus/74900", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-152.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74900);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-6109\", \"CVE-2013-0183\", \"CVE-2013-0184\", \"CVE-2013-0262\", \"CVE-2013-0263\", \"CVE-2013-0276\", \"CVE-2013-0277\");\n\n script_name(english:\"openSUSE Security Update : RubyOnRails (openSUSE-SU-2013:0338-1)\");\n script_summary(english:\"Check for the openSUSE-2013-152 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Ruby on Rails 2.3 stack was updated to 2.3.17. The Ruby on Rails\n3.2 stack was updated to 3.2.12.\n\nThe Ruby Rack was updated to 1.1.6. The Ruby Rack was\nupdated to 1.2.8. The Ruby Rack was updated to 1.3.10. The\nRuby Rack was updated to 1.4.5.\n\nThe updates fix various security issues and bugs.\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276:\n issue with attr_protected where malformed input could\n circumvent protection\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - Fix issue with attr_protected where malformed input\n could circumvent protection\n\n - Fix Serialized Attributes YAML Vulnerability\n\n - update to version 2.3.17 (bnc#803336, bnc#803339)\n CVE-2013-0276 CVE-2013-0277 :\n\n - Fix issue with attr_protected where malformed input\n could circumvent protection\n\n - Fix Serialized Attributes YAML Vulnerability\n\n - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :\n\n - Quote numeric values being compared to non-numeric\n columns. Otherwise, in some database, the string column\n values will be coerced to a numeric allowing 0, 0.0 or\n false to match any string starting with a non-digit.\n\n - update to 1.1.6 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - update to 1.2.8 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - update to 1.3.10 (bnc#802794)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - ruby rack update to 1.4.5 (bnc#802794 bnc#802795)\n\n - Fix CVE-2013-0263, timing attack against\n Rack::Session::Cookie\n\n - Fix CVE-2013-0262, symlink path traversal in Rack::File\n\n - ruby rack update to 1.4.4 (bnc#798452)\n\n - [SEC] Rack::Auth::AbstractRequest no longer symbolizes\n arbitrary strings (CVE-2013-0184)\n\n - ruby rack changes from 1.4.3\n\n - Security: Prevent unbounded reads in large multipart\n boundaries (CVE-2013-0183)\n\n - ruby rack changes from 1.4.2 (CVE-2012-6109)\n\n - Add warnings when users do not provide a session secret\n\n - Fix parsing performance for unquoted filenames\n\n - Updated URI backports\n\n - Fix URI backport version matching, and silence constant\n warnings\n\n - Correct parameter parsing with empty values\n\n - Correct rackup '-I' flag, to allow multiple uses\n\n - Correct rackup pidfile handling\n\n - Report rackup line numbers correctly\n\n - Fix request loops caused by non-stale nonces with time\n limits\n\n - Fix reloader on Windows\n\n - Prevent infinite recursions from Response#to_ary\n\n - Various middleware better conforms to the body close\n specification\n\n - Updated language for the body close specification\n\n - Additional notes regarding ECMA escape compatibility\n issues\n\n - Fix the parsing of multiple ranges in range headers\n\n - Prevent errors from empty parameter keys\n\n - Added PATCH verb to Rack::Request\n\n - Various documentation updates\n\n - Fix session merge semantics (fixes rack-test)\n\n - Rack::Static :index can now handle multiple directories\n\n - All tests now utilize Rack::Lint (special thanks to Lars\n Gierth)\n\n - Rack::File cache_control parameter is now deprecated,\n and removed by 1.5\n\n - Correct Rack::Directory script name escaping\n\n - Rack::Static supports header rules for sophisticated\n configurations\n\n - Multipart parsing now works without a Content-Length\n header\n\n - New logos courtesy of Zachary Scott!\n\n - Rack::BodyProxy now explicitly defines #each, useful for\n C extensions\n\n - Cookies that are not URI escaped no longer cause\n exceptions\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=798452\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=802794\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=802795\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=803336\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=803339\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-02/msg00071.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected RubyOnRails packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionmailer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionmailer-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionmailer-2_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionmailer-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionpack-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activemodel-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activerecord-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activeresource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activeresource-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activeresource-2_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activeresource-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activesupport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activesupport-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activesupport-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_1-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_2-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rack-1_4-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rails-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rails-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-railties-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1|SUSE12\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1 / 12.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionmailer-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionmailer-2_3-2.3.17-3.13.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionmailer-2_3-testsuite-2.3.17-3.13.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionpack-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionpack-2_3-2.3.17-3.20.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionpack-2_3-testsuite-2.3.17-3.20.2\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activerecord-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activerecord-2_3-2.3.17-3.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activerecord-2_3-testsuite-2.3.17-3.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activeresource-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activeresource-2_3-2.3.17-3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activeresource-2_3-testsuite-2.3.17-3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activesupport-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activesupport-2_3-2.3.17-3.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-rack-1_1-1.1.6-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-rack-1_1-testsuite-1.1.6-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-rails-2.3.17-2.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-rails-2_3-2.3.17-3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionmailer-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionmailer-2_3-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionmailer-2_3-testsuite-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionmailer-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionpack-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionpack-2_3-2.3.17-2.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionpack-2_3-testsuite-2.3.17-2.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionpack-3_2-3.2.12-3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activemodel-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activerecord-2.3.17-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activerecord-2_3-2.3.17-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activerecord-2_3-testsuite-2.3.17-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activerecord-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activeresource-2.3.17-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activeresource-2_3-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activeresource-2_3-testsuite-2.3.17-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activeresource-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activesupport-2.3.17-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activesupport-2_3-2.3.17-3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activesupport-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_1-1.1.6-6.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_1-testsuite-1.1.6-6.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_2-1.2.8-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_2-testsuite-1.2.8-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_3-1.3.10-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_3-testsuite-1.3.10-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_4-1.4.5-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rack-1_4-testsuite-1.4.5-2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rails-2.3.17-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rails-2_3-2.3.17-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rails-3_2-3.2.12-2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-railties-3_2-3.2.12-2.13.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"RubyOnRails\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:51:37", "description": "Rack developers report :\n\nToday we are proud to announce the release of Rack 1.4.5.\n\nFix CVE-2013-0263, timing attack against Rack::Session::Cookie\n\nFix CVE-2013-0262, symlink path traversal in Rack::File", "edition": 19, "published": "2013-02-18T00:00:00", "title": "FreeBSD : Ruby Rack Gem -- Multiple Issues (fcfdabb7-f14d-4e61-a7d5-cfefb4b99b15)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0262", "CVE-2013-0263"], "modified": "2013-02-18T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:rubygem18-rack", "p-cpe:/a:freebsd:freebsd:rubygem19-rack"], "id": "FREEBSD_PKG_FCFDABB7F14D4E61A7D5CFEFB4B99B15.NASL", "href": "https://www.tenable.com/plugins/nessus/64668", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64668);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2013-0262\", \"CVE-2013-0263\");\n\n script_name(english:\"FreeBSD : Ruby Rack Gem -- Multiple Issues (fcfdabb7-f14d-4e61-a7d5-cfefb4b99b15)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Rack developers report :\n\nToday we are proud to announce the release of Rack 1.4.5.\n\nFix CVE-2013-0263, timing attack against Rack::Session::Cookie\n\nFix CVE-2013-0262, symlink path traversal in Rack::File\"\n );\n # https://vuxml.freebsd.org/freebsd/fcfdabb7-f14d-4e61-a7d5-cfefb4b99b15.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?faf17e50\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem18-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem19-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"rubygem18-rack<1.4.5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"rubygem19-rack<1.4.5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:11:33", "description": "Patch for\n\n - path sanitization information disclosure (CVE-2013-0262)\n\n - timing attack in cookie sessions (CVE-2013-0263)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2013-05-08T00:00:00", "title": "Fedora 18 : rubygem-rack-1.4.0-5.fc18 (2013-2306)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0262", "CVE-2013-0263"], "modified": "2013-05-08T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:rubygem-rack"], "id": "FEDORA_2013-2306.NASL", "href": "https://www.tenable.com/plugins/nessus/66339", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-2306.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66339);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-0262\", \"CVE-2013-0263\");\n script_bugtraq_id(57860, 57862);\n script_xref(name:\"FEDORA\", value:\"2013-2306\");\n\n script_name(english:\"Fedora 18 : rubygem-rack-1.4.0-5.fc18 (2013-2306)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Patch for\n\n - path sanitization information disclosure (CVE-2013-0262)\n\n - timing attack in cookie sessions (CVE-2013-0263)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=909071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=909072\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-May/104672.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c6c4578a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"rubygem-rack-1.4.0-5.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-rack\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:11:33", "description": "Patch for\n\n - path sanitization information disclosure (CVE-2013-0262)\n\n - timing attack in cookie sessions (CVE-2013-0263)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2013-05-08T00:00:00", "title": "Fedora 17 : rubygem-rack-1.4.0-4.fc17 (2013-2315)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0262", "CVE-2013-0263"], "modified": "2013-05-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:rubygem-rack", "cpe:/o:fedoraproject:fedora:17"], "id": "FEDORA_2013-2315.NASL", "href": "https://www.tenable.com/plugins/nessus/66340", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-2315.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66340);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-0262\", \"CVE-2013-0263\");\n script_bugtraq_id(57860, 57862);\n script_xref(name:\"FEDORA\", value:\"2013-2315\");\n\n script_name(english:\"Fedora 17 : rubygem-rack-1.4.0-4.fc17 (2013-2315)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Patch for\n\n - path sanitization information disclosure (CVE-2013-0262)\n\n - timing attack in cookie sessions (CVE-2013-0263)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=909071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=909072\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-May/104668.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d6950a8c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-rack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"rubygem-rack-1.4.0-4.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-rack\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:12:11", "description": "Red Hat OpenShift Enterprise 1.1.2, which fixes several security\nissues, is now available.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS)\nsolution from Red Hat, and is designed for on-premise or private cloud\ndeployments.\n\nA flaw was found in the handling of paths provided to\nruby193-rubygem-rack. A remote attacker could use this flaw to conduct\na directory traversal attack by passing malformed requests.\n(CVE-2013-0262)\n\nA timing attack flaw was found in the way rubygem-rack and\nruby193-rubygem-rack processed HMAC digests in cookies. This flaw\ncould aid an attacker using forged digital signatures to bypass\nauthentication checks. (CVE-2013-0263)\n\nIt was found that Jenkins did not protect against Cross-Site Request\nForgery (CSRF) attacks. If a remote attacker could trick a user, who\nwas logged into Jenkins, into visiting a specially crafted URL, the\nattacker could perform operations on Jenkins. (CVE-2013-0327,\nCVE-2013-0329)\n\nA cross-site scripting (XSS) flaw was found in Jenkins. A remote\nattacker could use this flaw to conduct an XSS attack against users of\nJenkins. (CVE-2013-0328)\n\nA flaw could allow a Jenkins user to build jobs they do not have\naccess to. (CVE-2013-0330)\n\nA flaw could allow a Jenkins user to cause a denial of service if they\nare able to supply a specially crafted payload. (CVE-2013-0331)\n\nUsers are advised to upgrade to Red Hat OpenShift Enterprise 1.1.2. It\nis recommended that you restart your system after applying this\nupdate.", "edition": 19, "published": "2018-12-06T00:00:00", "title": "RHEL 6 : openshift (RHSA-2013:0638)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0262", "CVE-2013-0331", "CVE-2013-0327", "CVE-2013-0329", "CVE-2013-0328", "CVE-2013-0330", "CVE-2013-0263"], "modified": "2018-12-06T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:rubygem-rack", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-rack", "p-cpe:/a:redhat:enterprise_linux:jenkins", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jenkins-1.4", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2013-0638.NASL", "href": "https://www.tenable.com/plugins/nessus/119433", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0638. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119433);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-0262\", \"CVE-2013-0263\", \"CVE-2013-0327\", \"CVE-2013-0328\", \"CVE-2013-0329\", \"CVE-2013-0330\", \"CVE-2013-0331\");\n script_bugtraq_id(57860, 57862, 57994, 58454, 58456, 58721, 58722, 58726);\n script_xref(name:\"RHSA\", value:\"2013:0638\");\n\n script_name(english:\"RHEL 6 : openshift (RHSA-2013:0638)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Red Hat OpenShift Enterprise 1.1.2, which fixes several security\nissues, is now available.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS)\nsolution from Red Hat, and is designed for on-premise or private cloud\ndeployments.\n\nA flaw was found in the handling of paths provided to\nruby193-rubygem-rack. A remote attacker could use this flaw to conduct\na directory traversal attack by passing malformed requests.\n(CVE-2013-0262)\n\nA timing attack flaw was found in the way rubygem-rack and\nruby193-rubygem-rack processed HMAC digests in cookies. This flaw\ncould aid an attacker using forged digital signatures to bypass\nauthentication checks. (CVE-2013-0263)\n\nIt was found that Jenkins did not protect against Cross-Site Request\nForgery (CSRF) attacks. If a remote attacker could trick a user, who\nwas logged into Jenkins, into visiting a specially crafted URL, the\nattacker could perform operations on Jenkins. (CVE-2013-0327,\nCVE-2013-0329)\n\nA cross-site scripting (XSS) flaw was found in Jenkins. A remote\nattacker could use this flaw to conduct an XSS attack against users of\nJenkins. (CVE-2013-0328)\n\nA flaw could allow a Jenkins user to build jobs they do not have\naccess to. (CVE-2013-0330)\n\nA flaw could allow a Jenkins user to cause a denial of service if they\nare able to supply a specially crafted payload. (CVE-2013-0331)\n\nUsers are advised to upgrade to Red Hat OpenShift Enterprise 1.1.2. It\nis recommended that you restart your system after applying this\nupdate.\"\n );\n # https://wiki.jenkins-ci.org/display/SECURITY/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://wiki.jenkins.io/display/SECURITY/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0638\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0331\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0330\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0328\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0329\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0327\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0263\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0262\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jenkins-1.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0638\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"jenkins-1.502-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-jenkins-1.4-1.0.3-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-rack-1.4.1-4.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-rack-1.3.0-4.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jenkins / openshift-origin-cartridge-jenkins-1.4 / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-11-11T13:27:23", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA-2783-2 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nOctober 24, 2013 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : librack-ruby\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-5036 CVE-2013-0183 CVE-2013-0184 CVE-2013-0263\nDebian Bug : 653963 698440 700226\n\nThe update of librack-ruby in DSA-2783-1 also addressed CVE-2013-0183.\nThe patch applied breaks rails applications like redmine (see Debian Bug\n#727187). Updated packages are available to address this problem.\n\nFor reference, the original advisory text follows:\n\nSeveral vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilites and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036\n\n Rack computes hash values for form parameters without restricting\n the ability to trigger hash collisions predictably, which allows\n remote attackers to cause a denial of service (CPU consumption)\n by sending many crafted parameters.\n\nCVE-2013-0184\n\n Vulnerability in Rack::Auth::AbstractRequest allows remote\n attackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263\n\n Rack::Session::Cookie allows remote attackers to guess the\n session cookie, gain privileges, and execute arbitrary code via a\n timing attack involving am HMAC comparison function that does not\n run in constant time.\n\nFor the oldstable distribution (squeeze), these problems have been fixed in\nversion 1.1.0-4+squeeze1.\n\nThe stable, testing and unstable distributions do not contain the\nlibrack-ruby package. They have already been addressed in version\n1.4.1-2.1 of the ruby-rack package.\n\nWe recommend that you upgrade your librack-ruby packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2013-10-24T19:29:57", "published": "2013-10-24T19:29:57", "id": "DEBIAN:DSA-2783-2:41A1A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00196.html", "title": "[SECURITY] [DSA 2783-2] librack-ruby regression update", "type": "debian", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-11T13:12:31", "bulletinFamily": "unix", "cvelist": ["CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2783-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nOctober 21, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : librack-ruby\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-5036 CVE-2013-0184 CVE-2013-0263\nDebian Bug : 653963 698440 700226\n\nSeveral vulnerabilities were discovered in Rack, a modular Ruby\nwebserver interface. The Common Vulnerabilites and Exposures project\nidentifies the following vulnerabilities:\n\nCVE-2011-5036\n\n Rack computes hash values for form parameters without restricting\n the ability to trigger hash collisions predictably, which allows\n remote attackers to cause a denial of service (CPU consumption)\n by sending many crafted parameters. \n\nCVE-2013-0184\n\n Vulnerability in Rack::Auth::AbstractRequest allows remote\n attackers to cause a denial of service via unknown vectors.\n\nCVE-2013-0263\n\n Rack::Session::Cookie allows remote attackers to guess the\n session cookie, gain privileges, and execute arbitrary code via a\n timing attack involving am HMAC comparison function that does not\n run in constant time. \n\nFor the oldstable distribution (squeeze), these problems have been fixed in\nversion 1.1.0-4+squeeze1.\n\nThe stable, testing and unstable distributions do not contain the\nlibrack-ruby package. They have already been addressed in version\n1.4.1-2.1 of the ruby-rack package.\n\nWe recommend that you upgrade your librack-ruby packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2013-10-21T19:21:19", "published": "2013-10-21T19:21:19", "id": "DEBIAN:DSA-2783-1:70ED3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00194.html", "title": "[SECURITY] [DSA 2783-1] librack-ruby security update", "type": "debian", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:49", "bulletinFamily": "software", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- --------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2783-2 security@debian.org\r\nhttp://www.debian.org/security/ Salvatore Bonaccorso\r\nOctober 24, 2013 http://www.debian.org/security/faq\r\n- --------------------------------------------------------------------------\r\n\r\nPackage : librack-ruby\r\nVulnerability : several\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2011-5036 CVE-2013-0183 CVE-2013-0184 CVE-2013-0263\r\nDebian Bug : 653963 698440 700226\r\n\r\nThe update of librack-ruby in DSA-2783-1 also addressed CVE-2013-0183.\r\nThe patch applied breaks rails applications like redmine (see Debian Bug\r\n#727187). Updated packages are available to address this problem.\r\n\r\nFor reference, the original advisory text follows:\r\n\r\nSeveral vulnerabilities were discovered in Rack, a modular Ruby\r\nwebserver interface. The Common Vulnerabilites and Exposures project\r\nidentifies the following vulnerabilities:\r\n\r\nCVE-2011-5036\r\n\r\n Rack computes hash values for form parameters without restricting\r\n the ability to trigger hash collisions predictably, which allows\r\n remote attackers to cause a denial of service (CPU consumption)\r\n by sending many crafted parameters.\r\n\r\nCVE-2013-0184\r\n\r\n Vulnerability in Rack::Auth::AbstractRequest allows remote\r\n attackers to cause a denial of service via unknown vectors.\r\n\r\nCVE-2013-0263\r\n\r\n Rack::Session::Cookie allows remote attackers to guess the\r\n session cookie, gain privileges, and execute arbitrary code via a\r\n timing attack involving am HMAC comparison function that does not\r\n run in constant time.\r\n\r\nFor the oldstable distribution (squeeze), these problems have been fixed in\r\nversion 1.1.0-4+squeeze1.\r\n\r\nThe stable, testing and unstable distributions do not contain the\r\nlibrack-ruby package. They have already been addressed in version\r\n1.4.1-2.1 of the ruby-rack package.\r\n\r\nWe recommend that you upgrade your librack-ruby packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.15 (GNU/Linux)\r\n\r\niQIcBAEBCgAGBQJSaXS+AAoJEAVMuPMTQ89EmmEP/jR1XHtOt+qIbRe68DkmR3T+\r\nc13FpFVTh2Q2jGiPWtLeUox25Zr6XN3ZtOVlOXbJpJbT51rFqf5KeVU+2EO9bukA\r\n/UIvMmU7SNqE14vmCLBhhZfbjzlB7phtVtfqY2SMryeRW0KV8L2daljtSzJpb36D\r\nO6tRdCaS1O6LsNoCu4gV5o1j9sS7HenoG7f3zyXlPQvPOLkbqZoZseJkG5rlrFmu\r\nz8TYVxPLXalAOSYRa09ckJm9e5L91/zl3JXKbB4Amn/sjLrE/3aT0ipFX2FHNVCb\r\nIRIlyTRIcrfKzuPabGwf/HdJDKu3LqeoJXjc9OytT5XHoBzHyMRg3imI/evPInUB\r\nr0F14/mCZgI7R7HWRYL9YI7oI3M1SLXXoVjT04dZJWFkIuetypfeNAn7gmWE+B5K\r\niX8OqswZceOj9FTJuDxZAur9nowc9leDP9xXwlpa10z6N380ax3vrYRhXWwaW5io\r\ntuq5YTQN9tW3N2L0oDTmZQVCZFHqJMojEq/2rogAymBIp4TPvxrSEn0p9kHpfrur\r\n8+/QKYPmGXZ7SXXxlnPQDrqhFAcsobl62+obfuFXOquC+J+Snk5JJQ3I0on2qq4X\r\n6ZqfX4bA5IGnA2cohar5QpyE4QY0Rrc8EnylNkkZufLbhwin+eIYwHXz3Dbuj8uX\r\nPfBHzdV0zkVpegKYbiBw\r\n=HGaa\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2013-10-28T00:00:00", "published": "2013-10-28T00:00:00", "id": "SECURITYVULNS:DOC:29957", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29957", "title": "[SECURITY] [DSA 2783-2] librack-ruby regression update", "type": "securityvulns", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:53", "bulletinFamily": "software", "cvelist": ["CVE-2013-0183", "CVE-2011-5036", "CVE-2013-0184", "CVE-2013-0263"], "description": "DoS, code execution.", "edition": 1, "modified": "2013-10-28T00:00:00", "published": "2013-10-28T00:00:00", "id": "SECURITYVULNS:VULN:13370", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13370", "title": "Librack multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:40", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0262", "CVE-2013-0263"], "description": "\nRack developers report:\n\nToday we are proud to announce the release of Rack 1.4.5.\nFix CVE-2013-0263, timing attack against Rack::Session::Cookie\nFix CVE-2013-0262, symlink path traversal in Rack::File\n\n", "edition": 4, "modified": "2013-02-08T00:00:00", "published": "2013-02-08T00:00:00", "id": "FCFDABB7-F14D-4E61-A7D5-CFEFB4B99B15", "href": "https://vuxml.freebsd.org/freebsd/fcfdabb7-f14d-4e61-a7d5-cfefb4b99b15.html", "title": "Ruby Rack Gem -- Multiple Issues", "type": "freebsd", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2020-03-10T23:26:17", "bulletinFamily": "software", "cvelist": ["CVE-2013-0262"], "description": "rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka \"symlink path traversals.\"", "edition": 2, "modified": "2019-07-03T21:02:00", "published": "2017-10-24T18:33:37", "id": "GHSA-85R7-W5MV-C849", "href": "https://github.com/advisories/GHSA-85r7-w5mv-c849", "title": "Moderate severity vulnerability that affects rack", "type": "github", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-03-10T23:26:17", "bulletinFamily": "software", "cvelist": ["CVE-2013-0183"], "description": "multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet.", "edition": 2, "modified": "2019-07-03T21:02:00", "published": "2017-10-24T18:33:37", "id": "GHSA-3PXH-H8HW-MJ8W", "href": "https://github.com/advisories/GHSA-3pxh-h8hw-mj8w", "title": "Moderate severity vulnerability that affects rack", "type": "github", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:46:30", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5561", "CVE-2012-5603", "CVE-2012-6109", "CVE-2013-0162", "CVE-2013-0183", "CVE-2013-0184"], "description": "Red Hat Subscription Asset Manager acts as a proxy for handling\nsubscription information and software updates on client machines.\n\nIt was discovered that Katello did not properly check user permissions when\nhandling certain requests. An authenticated remote attacker could use this\nflaw to download consumer certificates or change settings of other users'\nsystems if they knew the target system's UUID. (CVE-2012-5603)\n\nIt was found that the\n\"/usr/share/katello/script/katello-generate-passphrase\" utility, which is\nrun during the installation and configuration process, set world-readable\npermissions on the \"/etc/katello/secure/passphrase\" file. A local attacker\ncould use this flaw to obtain the passphrase for Katello, giving them\naccess to information they would otherwise not have access to.\n(CVE-2012-5561)\n\nNote: After installing this update, ensure the\n\"/etc/katello/secure/passphrase\" file is owned by the root user and group\nand mode 0750 permissions. Sites should also consider re-creating the\nKatello passphrase as this issue exposed it to local users.\n\nThree flaws were found in rubygem-rack. A remote attacker could use these\nflaws to perform a denial of service attack against applications using\nrubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)\n\nIt was found that ruby_parser from rubygem-ruby_parser created a temporary\nfile in an insecure way. A local attacker could use this flaw to perform a\nsymbolic link attack, overwriting arbitrary files accessible to the\napplication using ruby_parser. (CVE-2013-0162)\n\nThe CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;\nCVE-2012-5561 was discovered by Aaron Weitekamp of the Red Hat Cloud\nQuality Engineering team; and CVE-2013-0162 was discovered by Michael\nScherer of the Red Hat Regional IT team.\n\nThese updated Subscription Asset Manager packages include a number of bug\nfixes and enhancements. Space precludes documenting all of these changes\nin this advisory. Refer to the Red Hat Subscription Asset Manager 1.2\nRelease Notes for information about these changes:\n\nhttps://access.redhat.com/knowledge/docs/en-US/Red_Hat_Subscription_Asset_Manager/1.2/html/Release_Notes/index.html\n\nAll users of Red Hat Subscription Asset Manager are advised to upgrade to\nthese updated packages, which fix these issues and add various\nenhancements.\n", "modified": "2018-06-07T09:01:04", "published": "2013-02-21T05:00:00", "id": "RHSA-2013:0544", "href": "https://access.redhat.com/errata/RHSA-2013:0544", "type": "redhat", "title": "(RHSA-2013:0544) Important: Subscription Asset Manager 1.2 update", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:46:59", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0262", "CVE-2013-0263", "CVE-2013-0327", "CVE-2013-0328", "CVE-2013-0329", "CVE-2013-0330", "CVE-2013-0331"], "description": "OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS)\nsolution from Red Hat, and is designed for on-premise or private cloud\ndeployments.\n\nA flaw was found in the handling of paths provided to ruby193-rubygem-rack.\nA remote attacker could use this flaw to conduct a directory traversal\nattack by passing malformed requests. (CVE-2013-0262)\n\nA timing attack flaw was found in the way rubygem-rack and\nruby193-rubygem-rack processed HMAC digests in cookies. This flaw could aid\nan attacker using forged digital signatures to bypass authentication\nchecks. (CVE-2013-0263)\n\nIt was found that Jenkins did not protect against Cross-Site Request\nForgery (CSRF) attacks. If a remote attacker could trick a user, who was\nlogged into Jenkins, into visiting a specially-crafted URL, the attacker\ncould perform operations on Jenkins. (CVE-2013-0327, CVE-2013-0329)\n\nA cross-site scripting (XSS) flaw was found in Jenkins. A remote attacker\ncould use this flaw to conduct an XSS attack against users of Jenkins.\n(CVE-2013-0328)\n\nA flaw could allow a Jenkins user to build jobs they do not have access to.\n(CVE-2013-0330)\n\nA flaw could allow a Jenkins user to cause a denial of service if they\nare able to supply a specially-crafted payload. (CVE-2013-0331)\n\nUsers are advised to upgrade to Red Hat OpenShift Enterprise 1.1.2. It is\nrecommended that you restart your system after applying this update.\n", "modified": "2018-06-09T14:17:09", "published": "2013-03-12T04:00:00", "id": "RHSA-2013:0638", "href": "https://access.redhat.com/errata/RHSA-2013:0638", "type": "redhat", "title": "(RHSA-2013:0638) Moderate: Red Hat OpenShift Enterprise 1.1.2 update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:47", "bulletinFamily": "unix", "cvelist": ["CVE-2012-6116", "CVE-2012-6119", "CVE-2013-0256", "CVE-2013-0263", "CVE-2013-0269", "CVE-2013-0276", "CVE-2013-1823"], "description": "Red Hat Subscription Asset Manager acts as a proxy for handling\nsubscription information and software updates on client machines.\n\nThe latest packages for Subscription Asset Manager include a number of security\nfixes:\n\nWhen a Subscription Asset Manager instance is created, its configuration\nscript automatically creates an RPM of the internal subscription service \nCA certificate. However, this RPM incorrectly created the CA certificate\nwith file permissions of 0666. This allowed other users on a client system\nto modify the CA certificate used to trust the remote subscription server.\nAll administrators are advised to update and deploy the subscription\nservice certificate on all systems which use Subscription Asset Manager\nas their subscription service. This procedure is described in:\nhttps://access.redhat.com/knowledge/docs/en-US/Red_Hat_Subscription_Asset_Manager/1.2/html/Installation_Guide/sect-Installation_Guide-Administration-Upgrading_Subscription_Asset_Manager.html\n(CVE-2012-6116)\n\nManifest signature checking was not implemented for early versions of \nSubscription Asset Manager. This meant that a malicious user could edit\na manifest file, insert arbitrary data, and successfully upload the edited\nmanifest file into the Subscription Asset Manager server. (CVE-2012-6119)\n\nRuby's documentation generator had a flaw in the way it generated HTML\ndocumentation. When a Ruby application exposed its documentation\non a network (such as a web page), an attacker could use a specially-\ncrafted URL to open an arbitrary web script or to execute HTML code\nwithin the application's user session. (CVE-2013-0256)\n\nA timing attack flaw was found in the way rubygem-rack and\nruby193-rubygem-rack processed HMAC digests in cookies. This flaw could aid\nan attacker using forged digital signatures to bypass authentication\nchecks. (CVE-2013-0263)\n\nA flaw in rubygem-json allowed remote attacks by creating different types\nof malicious objects. For example, it could initiate a denial of service\n(DoS) attack through resource consumption by using a JSON document to\ncreate arbitrary Ruby symbols, which were never garbage collected. It\ncould also be exploited to create internal objects which could allow a SQL\ninjection attack. (CVE-2013-0269)\n\nA flaw in ActiveRecord in Ruby on Rails allowed remote attackers to\ncircumvent attribute protections and to insert their own crafted requests\nto change protected attribute values. (CVE-2013-0276)\n\nHTML markup was not properly escaped when filling in the username field in\nthe Notifications form of the Subscription Asset Manager UI. This meant\nthat HTML code used in the value was then applied in the UI page when the\nentry was viewed. This could have allowed malicious HTML code to be\nentered. The field value is now validated and any HTML tags are escaped.\n(CVE-2013-1823)\n\nThese updated packages also include bug fixes and enhancements:\n\n* Previously, no SELinux policy for the subscription service was included\nwith the Subscription Asset Manager packages. The candlepin-selinux package\nis now included with SELinux policies for the subscription server. \n(BZ#906901)\n\n* When attempting to use the subscription service's CA certificate to\nvalidate a manifest during import, the comparison failed. The upstream\nsubscription service which generated the manifest is a different service\nthan the local subscription service; thus, they have different CA\ncertificates. This caused importing a manifest to fail with the error\n'archive failed signature'. This has been fixed so that the proper\ncertificate is used for verification. (BZ#918778)\n\nAll users of Subscription Asset Manager are recommended to update to the\nlatest packages.\n", "modified": "2018-06-07T09:01:03", "published": "2013-03-26T04:00:00", "id": "RHSA-2013:0686", "href": "https://access.redhat.com/errata/RHSA-2013:0686", "type": "redhat", "title": "(RHSA-2013:0686) Moderate: Subscription Asset Manager 1.2.1 update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T11:31:56", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695", "CVE-2012-6109", "CVE-2013-0156", "CVE-2013-0183", "CVE-2013-0155", "CVE-2013-0184", "CVE-2012-5664"], "description": "rubygem-merb-core has been updated to change the rack\n version dependency. Now any rack 1.1 version is accepted.\n\n This update needs to be installed in parallel with the\n 2.3.17 rails update.\n", "edition": 1, "modified": "2013-03-20T17:04:42", "published": "2013-03-20T17:04:42", "id": "SUSE-SU-2013:0508-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00040.html", "title": "Security update for rubygem-merb-core (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}