Thin: Privilege escalation — GLSA 202007-40

A vulnerability was discovered in Thin which may allow local attackers to kill arbitrary processes (denial of service).

Affected packages

Package 	www-servers/thin on all architectures
Affected versions 	<= 1.7.2
Unaffected versions 	

Background

Thin is a small and fast Ruby web server.

Description

It was discovered that Gentoo’s Thin ebuild does not properly handle its temporary runtime directories. This only affects OpenRC systems, as the flaw was exploitable via the init script.

Impact

A local attacker could cause denial of service by killing arbitrary processes.

Workaround

There is no known workaround at this time.

Resolution

Gentoo has discontinued support for Thin. We recommend that users unmerge Thin:

 # emerge --unmerge "www-servers/thin"
 

NOTE: The Gentoo developer(s) maintaining Thin have discontinued support at this time. It may be possible that a new Gentoo developer will update Thin at a later date. There are many other web servers available in the tree in the www-servers category.