Public bug reported: Binary package hint: rails
The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. Hardy has 1.2.6, so should be fixed. ** Affects: rails Importance: Unknown Status: Unknown ** Affects: rails (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: rails (Ubuntu Dapper) Importance: Undecided Status: New ** Affects: rails (Ubuntu Edgy) Importance: Undecided Status: New ** Affects: rails (Ubuntu Feisty) Importance: Undecided Status: New ** Affects: rails (Ubuntu Gutsy) Importance: Undecided Status: New ** Affects: rails (Ubuntu Hardy) Importance: Undecided Status: Fix Released ** Visibility changed to: Public ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-6077 ** Changed in: rails (Ubuntu Hardy) Status: New => Fix Released ** Bug watch added: 'Bug tracker at http://dev.rubyonrails.org/' #10048 http://dev.rubyonrails.org/ticket/10048 ** Also affects: rails via http://dev.rubyonrails.org/ticket/10048 Importance: Unknown Status: Unknown -- [CVE-2007-6077] Potential session fixation attack https://bugs.launchpad.net/bugs/173203 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs