Public bug reported:
Binary package hint: rails
The session fixation protection mechanism in cgi_process.rb in Rails
1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from
the DEFAULT_SESSION_OPTIONS constant, which effectively causes
cookie_only to be applied only to the first instantiation of CgiRequest,
which allows remote attackers to conduct session fixation attacks. NOTE:
this is due to an incomplete fix for CVE-2007-5380.
Hardy has 1.2.6, so should be fixed.
** Affects: rails
Importance: Unknown
Status: Unknown
** Affects: rails (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: rails (Ubuntu Dapper)
Importance: Undecided
Status: New
** Affects: rails (Ubuntu Edgy)
Importance: Undecided
Status: New
** Affects: rails (Ubuntu Feisty)
Importance: Undecided
Status: New
** Affects: rails (Ubuntu Gutsy)
Importance: Undecided
Status: New
** Affects: rails (Ubuntu Hardy)
Importance: Undecided
Status: Fix Released
** Visibility changed to: Public
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-6077
** Changed in: rails (Ubuntu Hardy)
Status: New => Fix Released
** Bug watch added: 'Bug tracker at http://dev.rubyonrails.org/' #10048
http://dev.rubyonrails.org/ticket/10048
** Also affects: rails via
http://dev.rubyonrails.org/ticket/10048
Importance: Unknown
Status: Unknown
--
[CVE-2007-6077] Potential session fixation attack
https://bugs.launchpad.net/bugs/173203
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
