20765 2009-07-13 11:29:39 +0400 CVE-2009-2422 Ruby on Rails Bug in 'http_authentication.rb' Lets Remote Users Bypass Authentication 2009-10-13 14:09:43 +0400 1 1 4 Development Sisyphus ruby-actionpack unstable all Linux CLOSED FIXED http://securitytracker.com/alerts/2009/Jul/1022517.html security P3 normal --- 1 crux cas cas imz led majioa mike nbr rider stalker stanv timonbl4 qa-sisyphus oldest_to_newest 94595 0 crux 2009-07-13 11:29:39 +0400 A vulnerability was reported in Ruby on Rails. A remote user can bypass authentication. A remote user can supply a specially crafted (invalid) username with no password to successfully authenticate and access a protected page. fixed in git: http://github.com/rails/rails/commit/056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489 94599 1 raorn 2009-07-13 12:16:08 +0400 Версия в Сизифе (2.3.2.1) содержит этот коммит. 94602 2 crux 2009-07-13 12:20:34 +0400 Я заглянул сюда и не увидел: http://git.altlinux.org/gears/r/ruby-rails.git?p=ruby-rails.git;a=blob;f=actionpack/lib/action_controller/http_authentication.rb;h=b6b5267c66f92c79bb4da58cb97dac7e84728a50;hb=d5dad091d19865be1e948a0b235c589ca801b1fc#l194 94604 3 raorn 2009-07-13 12:34:27 +0400 Немного перепутал follows и preceedes. 101397 4 raorn 2009-10-13 14:09:43 +0400 Тащемта, уже давно исправлено, например.