Advisories for Gem/Rest-Client package

The rest-client gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

The package rest-client in abstract_response.rb improperly handles Set-Cookie headers on HTTP redirection responses. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration. If you control a redirection source, you can cause rest-client to perform a request to any third-party domain with cookies of your choosing, which may be useful in performing a session fixation attack. If you control a redirection target, you can steal …

REST Client for Ruby contains a flaw that is due to the application logging password information in plaintext. This may allow a local attacker to gain access to password information.