[Bug 834785] New: default /etc/gemrc uses http source of gems instead of https
https://bugzilla.novell.com/show_bug.cgi?id=834785 https://bugzilla.novell.com/show_bug.cgi?id=834785#c0 Summary: default /etc/gemrc uses http source of gems instead of https Classification: openSUSE Product: openSUSE Factory Version: 13.1 Milestone 4 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: mpapis@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 install 13.1 m4 check /etc/gemrc it contains: :sources: - http://rubygems.org this is insecure url which will be used for fetching gems index and gems themself, it can be replaced with `https://rubygems.org` and gems will be downloaded using https. You can confirm which protocol is used with: sudo gem install --verbose haml Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834785 https://bugzilla.novell.com/show_bug.cgi?id=834785#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com, | |mrueckert@suse.com, | |security-team@suse.de AssignedTo|security-team@suse.de |jmassaguerpla@suse.com Summary|default /etc/gemrc uses |VUL-0: ruby*: default |http source of gems instead |/etc/gemrc uses http source |of https |of gems instead of https --- Comment #1 from Marcus Meissner <meissner@suse.com> 2013-08-14 11:03:30 UTC --- jordi please adjust -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834785 https://bugzilla.novell.com/show_bug.cgi?id=834785#c Jordi Massaguer <jmassaguerpla@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834785 https://bugzilla.novell.com/show_bug.cgi?id=834785#c2 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium --- Comment #2 from Swamp Workflow Management <swamp@suse.de> 2013-08-14 22:00:15 UTC --- bugbot adjusting priority -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834785 https://bugzilla.novell.com/show_bug.cgi?id=834785#c3 --- Comment #3 from Jordi Massaguer <jmassaguerpla@suse.com> 2013-08-19 11:15:42 UTC --- created request id 195591 https://build.opensuse.org/request/show/195591 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834785 https://bugzilla.novell.com/show_bug.cgi?id=834785#c4 Jordi Massaguer <jmassaguerpla@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |meissner@suse.com --- Comment #4 from Jordi Massaguer <jmassaguerpla@suse.com> 2013-08-19 11:17:59 UTC --- Marcus: who should I assign the bug now? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834785 https://bugzilla.novell.com/show_bug.cgi?id=834785#c5 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|meissner@suse.com | --- Comment #5 from Marcus Meissner <meissner@suse.com> 2013-08-19 11:33:33 UTC --- (no CVE assigned yet, but there seems agreement for assignment) Question is if we want to fix this for old distributions too. Can you submit fixes for openSUSE at least? If done, reassign to security-team@suse.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834785 https://bugzilla.novell.com/show_bug.cgi?id=834785#c6 Jordi Massaguer <jmassaguerpla@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jmassaguerpla@suse.com |security-team@suse.de --- Comment #6 from Jordi Massaguer <jmassaguerpla@suse.com> 2013-08-22 10:42:51 UTC --- For 12.2: created request id Request: #195985 For 12.3: created request id Request: #195984 For 13.1: created request id Request: #195591 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834785 https://bugzilla.novell.com/show_bug.cgi?id=834785#c7 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #7 from Marcus Meissner <meissner@suse.com> 2013-10-07 14:55:41 UTC --- we probably wnt fix it for sles -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com