Bug 1173351 (CVE-2020-8184)

Summary: VUL-0: CVE-2020-8184: rubygem-rack-1_4,rubygem-rack: rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: cathy.hu, johannes.grassler, jtomasiak, pgajdos, smash_bz, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/261864/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1177352
Whiteboard: CVSSv3.1:SUSE:CVE-2020-8184:6.8:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Backport of the patch to Rack 1.6.3

Comment 1 Johannes Grassler 2020-06-25 13:38:13 UTC
Created attachment 839096 [details]
Backport of the patch to Rack 1.6.3

Jacek (adding him to CC:) was a bit quicker than me and has already created a backport. Thanks! I'm currently testing this against SUSE OpenStack Cloud to make sure it doesn't break anything. Will update later.
Comment 4 Swamp Workflow Management 2020-09-18 13:15:58 UTC
SUSE-SU-2020:2678-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1159548,1172037,1173351
CVE References: CVE-2019-16782,CVE-2020-8161,CVE-2020-8184
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    rubygem-rack-1.6.13-3.8.1
SUSE OpenStack Cloud Crowbar 8 (src):    rubygem-rack-1.6.13-3.8.1
SUSE OpenStack Cloud 7 (src):    rubygem-rack-1.6.13-3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-10-26 14:22:08 UTC
SUSE-SU-2020:3036-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1165548,1168554,1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    rmt-server-2.6.5-3.3.1
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    rmt-server-2.6.5-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-11-04 14:17:27 UTC
SUSE-SU-2020:3147-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    rmt-server-2.6.5-3.34.1
SUSE Linux Enterprise Server 15-LTSS (src):    rmt-server-2.6.5-3.34.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    rmt-server-2.6.5-3.34.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    rmt-server-2.6.5-3.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-11-05 14:22:13 UTC
SUSE-SU-2020:3160-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    rmt-server-2.6.5-3.18.1
SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src):    rmt-server-2.6.5-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-11-21 17:17:13 UTC
openSUSE-SU-2020:1993-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1165548,1168554,1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    rmt-server-2.6.5-lp152.2.3.1
Comment 12 Swamp Workflow Management 2020-11-23 14:23:47 UTC
openSUSE-SU-2020:2000-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    rmt-server-2.6.5-lp151.2.18.2
Comment 13 OBSbugzilla Bot 2021-05-18 09:21:40 UTC
This is an autogenerated message for OBS integration:
This bug (1173351) was mentioned in
https://build.opensuse.org/request/show/893979 Factory / rmt-server
Comment 14 Marcus Meissner 2021-06-11 15:53:39 UTC
released
Comment 15 Hu 2022-08-12 07:59:41 UTC
Hi, I think this is missing in:
- SUSE:SLE-15:Update/rubygem-rack
- SUSE:SLE-12:Update/rubygem-rack-1_4

Could someone please have a look? Thanks!
Comment 17 Petr Gajdos 2022-09-15 15:21:55 UTC
15/rubygem-rack was submitted.

rubygem-rack-1_4: I do not see parse_cookies_header code, so might be not affected. Please ask maintainer, though.
Comment 19 Swamp Workflow Management 2022-09-23 13:24:19 UTC
SUSE-SU-2022:3347-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1172037,1173351
CVE References: CVE-2020-8161,CVE-2020-8184
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    rubygem-rack-2.0.8-150000.3.9.1
openSUSE Leap 15.3 (src):    rubygem-rack-2.0.8-150000.3.9.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    rubygem-rack-2.0.8-150000.3.9.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    rubygem-rack-2.0.8-150000.3.9.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    rubygem-rack-2.0.8-150000.3.9.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    rubygem-rack-2.0.8-150000.3.9.1
SUSE Linux Enterprise High Availability 15 (src):    rubygem-rack-2.0.8-150000.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Thomas Leroy 2022-09-27 09:45:29 UTC
rubygem-rack-1_4 not affected, closing