ESB-2018.0417 - [Win][UNIX/Linux][Debian] ruby-omniauth: Access confidential data - Remote/unauthenticated 2018-02-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0417
                       ruby-omniauth security update
                             12 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ruby-omniauth
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-18076  

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4109

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running ruby-omniauth check for an updated version of the software 
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4109-1                   security@debian.org
https://www.debian.org/security/                                         
February 09, 2018                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : ruby-omniauth
CVE ID         : CVE-2017-18076
Debian Bug     : 888523

Lalith Rallabhandi discovered that OmniAuth, a Ruby library for
implementing multi-provider authentication in web applications,
mishandled and leaked sensitive information. An attacker with access to
the callback environment, such as in the case of a crafted web
application, can request authentication services from this module and
access to the CSRF token.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2.1-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.3.1-1+deb9u1.

We recommend that you upgrade your ruby-omniauth packages.

For the detailed security status of ruby-omniauth please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-omniauth

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlp+Vf8ACgkQbsLe9o/+
N3RymRAAj5ygv8aqAZVGam3wRQ5eOux+kmSP3eBe1pYb+egLEdbtetFALbbq0GyF
OWE5BpIcq483FE06CaVpuBK1xIk6f5SiS0jYPzMRdlIcfidfCk1SWcHbQ/5H8koP
Gn3visVhHIPwecwdeDCKTpvWIHSBT9sLH3j971K8DdR9ICTWdvCGo92T4/Txy3oL
YDGUFD90oqZ/qGJ2uMazJydaxslCc5KS/pSv7w/daDiRVtK14pQAjBO6BYWYKFzg
tQYnl/kDwoFAhltB8mvpMOSbPK7s1Z2PKu49uT0x7EWZV19mv4jMwo2rZ137yQcu
duK1nXIIbhVtA/7d02FMTfdahXDl8EjRAwmuSpsZZeRmPe3irVN3Ghh93VURDBYh
cnJCoM1CjfAuVFz6nWOFE4oolQ/0CUSPUG5o+y5RGWwaImifOK5fc57lPqthiK4D
41+Fw1xQCJ5BwSig4zFPjRottB4etbzag1wvIhOKHnmpb0IHpweAbWsEs8PO1xG6
imbKc68UHZw3LMGHbIyTOKSHbqjVaF2pnYrX/SWhdgEshTMZ4lv0KMTAWPmPxL30
3i3bgl8QnSr93kA13C3Zbog0TfrHouEd2SaxAwfkIE1RR+vXeoqKgoVTu6SpAOoH
3M1QiigPLlzomKVYQe5a19j2dkAEIbnnuNtc+wZbI/3v0Me6PQU=
=oO+m
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWoEN9Yx+lLeg9Ub1AQih/g/+P6GSj1etSumkdH89kzUKvYIBLt0X9uNT
5O2FaGpbcZ9BPr5iAN4x3HkKaQxY5E1a5xGFr4enU3CRSZ988+FULJxCLIZFxGXd
Vxu5CCVlpVxZZ+8UFzYNFSEi/aMtbP+cXCA7XvlUkpuh2P/GXgSoxfbQZv8Yy1nN
QIWHu4/Uo0IKFfMdtRAvnDTYpAsEAIdkv2XrS9Cqvc4Re8Ko6Gh6A2bUcdXTdb/6
mwphx73N0knIfhLmXLiW0F83Drinm1tNOEreFbLhWaFHKtLLGabV1ZjxPxGvzuMN
hvHWOi7E5/euNjksdN3xnhDtqljexEFKx0tG/WwgrfjkJF7dJ2FNm6MrT1SHX+xS
eTw5CIrfFKLTxjhIsy1hztpLYlk+5f4kHe0Kw409w5PZfPYOuIB1orWTTL5Cvd3A
tBwQwh2Ulm55PwsxqX32/RymYQrAiiQzPPPQFPoCHzh7wqjfuxd7WmVXDndg+R51
wSgO16TmYD1OVgn5x6ROZgE5lmhLJc379kE+zVKPIq0O9zBuGuQD7obSx1A0s2zc
xRclqgna/Iux87vZrjcjxthXBFsbaZxUrfWvm4OhfqOEEm9D6lMaNLvYkomoQ8ub
W4u24Za9L+1WOhElL7qBzHhXfsJHZq+tadW+NOJlnn5PXnC9zMpCbMtBay4ZYDhM
iHZjWhhP1G0=
=HP++
-----END PGP SIGNATURE-----

« Back to bulletins