Описание
Security update for rubygem-activesupport-3_2
This update for rubygem-activesupport-3_2 fixes the following issues:
The previous patch for CVE-2015-7576 was adding the file lib/active_support/security_utils.rb but this file was not being added into the gemspec,thus the final gem did not contain that file.
Список пакетов
SUSE Lifecycle Management Server 1.3
SUSE Linux Enterprise Software Development Kit 11 SP4
SUSE Studio Onsite 1.3
SUSE WebYast 1.3
Ссылки
- Link for SUSE-SU-2016:0968-1
- E-Mail link for SUSE-SU-2016:0968-1
- SUSE Security Ratings
- SUSE Bug 970715
- SUSE CVE CVE-2015-7576 page
Описание
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
Затронутые продукты
Ссылки
- CVE-2015-7576
- SUSE Bug 963329
- SUSE Bug 963563
- SUSE Bug 970715