Bug 58897 (CVE-2004-0755)

Summary: VUL-0: CVE-2004-0755: possible file permissions problem in ruby
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Ruediger Oertel <ro>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mge, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0755: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2004-08-17 21:13:38 UTC 
Debian released an advisory which you can find here:

http://www.nl.debian.org/security/2004/dsa-537

Does this also affect us? Might be we dont ship the ruby CGI package.
If we do, I think the bug has very low severity and it is enough to
have it fixed in STABLE.
Comment 1 Sebastian Krahmer 2004-08-17 21:13:38 UTC 
<!-- SBZ_reproduce  -->
...
Comment 2 Matthias Eckermann 2004-08-18 15:11:20 UTC 
Yes, we deliver ruby-1.8.x in recent distributions,
and "CGI" and "session" are included in the main package.
Don't exspect packages in STABLE before 20040830, please.
Comment 3 Matthias Eckermann 2004-09-17 23:10:29 UTC 
UPDATE: packages will be ready until 20040924
Comment 4 Matthias Eckermann 2004-09-25 08:28:19 UTC 
Hi RĂ¼diger,
AFAIK you are the fallback, if maintainer is not there or something
like that. I could not solve the problem before I leave for holiday
soon, sorry:-|

TIA MgE

If Oct 11th is ok for 9.2, I'll fix it then.
Comment 5 Ruediger Oertel 2004-09-25 17:39:55 UTC 
this is CAN-2004-0755 
cgi_session.diff applied for STABLE
Comment 6 Ruediger Oertel 2004-09-27 18:44:00 UTC 
closing, since initial comment says to fix this only for STABLE
Comment 7 Thomas Biege 2009-10-13 20:32:34 UTC 
CVE-2004-0755: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)