Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ruby-doorkeeper: CVE-2018-1000211: Public apps can't revoke OAuth access & refresh tokens in Doorkeeper

Related Vulnerabilities: CVE-2018-1000211   CVE-2018-1000088  

Source

Debian Bug report logs - #903980
ruby-doorkeeper: CVE-2018-1000211: Public apps can't revoke OAuth access & refresh tokens in Doorkeeper

version graph

Package: src:ruby-doorkeeper; Maintainer for src:ruby-doorkeeper is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 17 Jul 2018 18:36:04 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version ruby-doorkeeper/4.2.0-1

Fixed in version ruby-doorkeeper/4.4.2-1

Done: Pirate Praveen <praveen@debian.org>

Forwarded to https://github.com/doorkeeper-gem/doorkeeper/issues/891

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#903980; Package src:ruby-doorkeeper. (Tue, 17 Jul 2018 18:36:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 17 Jul 2018 18:36:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby-doorkeeper: CVE-2018-1000211: Public apps can't revoke OAuth access & refresh tokens in Doorkeeper
Date: Tue, 17 Jul 2018 20:34:55 +0200
Source: ruby-doorkeeper
Version: 4.2.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/doorkeeper-gem/doorkeeper/issues/891

Hi,

The following vulnerability was published for ruby-doorkeeper.

CVE-2018-1000211[0]:
| Doorkeeper version 4.2.0 and later contains a Incorrect Access Control
| vulnerability in Token revocation API's authorized method that can
| result in Access tokens are not revoked for public OAuth apps, leaking
| access until expiry.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000211
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000211
[1] https://github.com/doorkeeper-gem/doorkeeper/issues/891

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Mon, 23 Jul 2018 17:24:11 GMT) (full text, mbox, link).

Reply sent to Pirate Praveen <praveen@debian.org>:
You have taken responsibility. (Sat, 25 Aug 2018 12:09:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 25 Aug 2018 12:09:06 GMT) (full text, mbox, link).

Message #12 received at 903980-close@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>
To: 903980-close@bugs.debian.org
Subject: Bug#903980: fixed in ruby-doorkeeper 4.4.2-1
Date: Sat, 25 Aug 2018 12:05:32 +0000
Source: ruby-doorkeeper
Source-Version: 4.4.2-1

We believe that the bug you reported is fixed in the latest version of
ruby-doorkeeper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 903980@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated ruby-doorkeeper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Aug 2018 17:22:16 +0530
Source: ruby-doorkeeper
Binary: ruby-doorkeeper
Architecture: source
Version: 4.4.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
 ruby-doorkeeper - OAuth 2 provider for Rails and Grape
Closes: 903980
Changes:
 ruby-doorkeeper (4.4.2-1) unstable; urgency=medium
 .
   * New upstream version 4.4.2 (Closes: #903980)
     (Fixes: CVE-2018-1000211, CVE-2018-1000088)
   * Bump Standards-Version to 4.2.0 (no changes needed)
Checksums-Sha1:
 0e13999814a960ccc70b72ddb44de777b3f95c52 2110 ruby-doorkeeper_4.4.2-1.dsc
 8aa946fc778687ede70bbda5772ce26498bc0e28 117423 ruby-doorkeeper_4.4.2.orig.tar.gz
 5f54660d5177bee2ac64243bed64e02b8fe12253 2696 ruby-doorkeeper_4.4.2-1.debian.tar.xz
 4ca735e58e2814dada791d18f9cae01fcbc14201 7783 ruby-doorkeeper_4.4.2-1_source.buildinfo
Checksums-Sha256:
 708debf6a4e83342dc4f39503aa9f0edc4dbe0f3eec6a32886ea34aa87a65779 2110 ruby-doorkeeper_4.4.2-1.dsc
 fed606a0f01801bca3042c0b546b393c972fd7353785f1798f915e924bca7b99 117423 ruby-doorkeeper_4.4.2.orig.tar.gz
 15ac648a3979d592bed6dcaca46186edcdf5fe81f186d9b86475f8573c31b3cc 2696 ruby-doorkeeper_4.4.2-1.debian.tar.xz
 a0f14aeb00394069231226c98b60058aecf7b39d218a6853a5e63e903ebb13df 7783 ruby-doorkeeper_4.4.2-1_source.buildinfo
Files:
 8d41947fa5223bb8cf8956dea016e863 2110 ruby optional ruby-doorkeeper_4.4.2-1.dsc
 5d6242a2044ee1bd17bb5db5ffe4cb93 117423 ruby optional ruby-doorkeeper_4.4.2.orig.tar.gz
 b7dee3333fbb4b39e73c74cc78f78d40 2696 ruby optional ruby-doorkeeper_4.4.2-1.debian.tar.xz
 45e87db42f4976ba2c8aa6d70deb5d8f 7783 ruby optional ruby-doorkeeper_4.4.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAluBRR8ACgkQzh+cZ0US
wirOOhAAhGJMnW22eN+ItffQsVdLwTOBvEDeVjuSW6UWeAr9VzwYfip8e4H6vfzs
KNgfThLExXcV1G/pgUYERLYlejqVzBBPfDASnc++Ez9PjEct+CrVo1Q7OKX8wiDk
FT3fGi7QNhJfHo/pGyyNSEKVErLyUeanmlKxsDa6ctRj2wcxfyDpYN2hykI+JhW1
V07kbVWtR7qayQP59JAwRzY33xh9Be4I6F4/5bFBRhO05kkDeJFx4C09a4qhQ1xw
+K9/aaako4Pc8PXe6Yx57nurqajvErkHzn1YjeGL8/TSEKoyeN+KJX/Fi/ul1IPl
4g3bZiZbjqeQFTP4UTwy8qBDOg7k4CES8ZYeaD1RMKIpkV7zh48UgV5h4/oYFWjZ
b+TUnX46uDjtZXjIWKKBFgGPzTmpa8yS7FFwAFSbi5f7N3E1dYAV+RC4Tuz6gKal
J+RW6x25RvzrwjoTLCSxBOVuXd70dVWeqtWGl++Brd27Q+uFXmB7BSHNhVGRS073
h9Ooap9jF+53PorwMrvTmSKpk+N52IArTvXyUVQmyNdbGxPgRy+kErEm/QPBZRpi
57VzrqndlD7x/Zh4SKbeQeOwXvPFUZF4RK2ljSrzY0JIDhBo6FcGFFEuRb83WBUD
H6amYac3YtRBhHsPFzn8OiOapOZZmFD6OsZ6lpxyVbwwdC3lfvU=
=jLkB
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:17:26 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started