Debian Bug report logs -
#900178
ruby-rails-admin: CVE-2017-12098
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#900178; Package src:ruby-rails-admin.
(Sun, 27 May 2018 06:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sun, 27 May 2018 06:51:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-rails-admin
Version: 0.8.1+dfsg-3
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://github.com/sferik/rails_admin/issues/2985
Hi,
The following vulnerability was published for ruby-rails-admin.
CVE-2017-12098[0]:
| An exploitable cross site scripting (XSS) vulnerability exists in the
| add filter functionality of the rails_admin rails gem version 1.2.0. A
| specially crafted URL can cause an XSS flaw resulting in an attacker
| being able to execute arbitrary javascript on the victim's browser. An
| attacker can phish an authenticated user to trigger this
| vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12098
[1] https://github.com/sferik/rails_admin/issues/2985
[2] https://github.com/sferik/rails_admin/commit/44f09ed72b5e0e917a5d61bd89c48d97c494b41c
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 31 May 2018 17:39:23 GMT) (full text, mbox, link).
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Sat, 23 Feb 2019 11:33:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 23 Feb 2019 11:33:05 GMT) (full text, mbox, link).
Message #12 received at 900178-done@bugs.debian.org (full text, mbox, reply):
Version: 0.8.1+dfsg-3+rm
Dear submitter,
as the package ruby-rails-admin has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/922836
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:13:38 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon