Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

rails: CVE-2020-15169

Related Vulnerabilities: CVE-2020-15169  

Source

Debian Bug report logs - #970040
rails: CVE-2020-15169

version graph

Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 10 Sep 2020 18:39:01 UTC

Severity: important

Tags: security, upstream

Found in version rails/2:6.0.3.2+dfsg-11

Fixed in version rails/2:6.0.3.3+dfsg-1

Done: Utkarsh Gupta <utkarsh@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#970040; Package src:rails. (Thu, 10 Sep 2020 18:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Thu, 10 Sep 2020 18:39:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rails: CVE-2020-15169
Date: Thu, 10 Sep 2020 20:35:55 +0200
Source: rails
Version: 2:6.0.3.2+dfsg-11
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for rails.

CVE-2020-15169[0]:
| Cross-site scripting in translation helpers

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-15169
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
[1] https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc?pli=1
[2] https://github.com/rails/rails/commit/e663f084460ea56c55c3dc76f78c7caeddeeb02e

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Utkarsh Gupta <utkarsh@debian.org>:
You have taken responsibility. (Fri, 11 Sep 2020 05:21:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 11 Sep 2020 05:21:05 GMT) (full text, mbox, link).

Message #10 received at 970040-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 970040-close@bugs.debian.org
Subject: Bug#970040: fixed in rails 2:6.0.3.3+dfsg-1
Date: Fri, 11 Sep 2020 05:18:29 +0000
Source: rails
Source-Version: 2:6.0.3.3+dfsg-1
Done: Utkarsh Gupta <utkarsh@debian.org>

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 970040@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <utkarsh@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 11 Sep 2020 09:32:28 +0530
Source: rails
Architecture: source
Version: 2:6.0.3.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Closes: 970040
Changes:
 rails (2:6.0.3.3+dfsg-1) unstable; urgency=medium
 .
   [ Cédric Boutillier ]
   * [ci skip] Update team name
   * [ci skip] Add .gitattributes to keep unwanted files out of the
     source package
 .
   [ Utkarsh Gupta ]
   * New upstream version 6.0.3.3+dfsg
     - Ensure values directly from `options[:default]` are not marked
       as `html_safe`. (Fixes: CVE-2020-15169) (Closes: #970040)
Checksums-Sha1:
 5bf755d86d5d103b29005e7c24ce65fc5b05d445 5227 rails_6.0.3.3+dfsg-1.dsc
 da03c429b738f6610cbe2c9f0ea3e833f1da4aaf 13966456 rails_6.0.3.3+dfsg.orig.tar.xz
 369808dcfdcb607779eae7f9ee9fac001969f3ca 97060 rails_6.0.3.3+dfsg-1.debian.tar.xz
 0b0146e0f398ac5c1cd92e5ad604aff4c6fd4775 34147 rails_6.0.3.3+dfsg-1_source.buildinfo
Checksums-Sha256:
 9f8f21e0fd0253b2c0a5b879c452bbcfceade95ab1b332a9f356163b7f1998f5 5227 rails_6.0.3.3+dfsg-1.dsc
 683e2d13972da834c1d1585960b15a870e84039fd591f4b0420a3ed5c6d8b8ee 13966456 rails_6.0.3.3+dfsg.orig.tar.xz
 747185a070570821f89075786338100246c02d56bdf5f580d2c663d69fe61de5 97060 rails_6.0.3.3+dfsg-1.debian.tar.xz
 14753dbcf9bc0770928e5d26d8f31ff2b8bc17f49923bd384614dc883a1fdb2f 34147 rails_6.0.3.3+dfsg-1_source.buildinfo
Files:
 015429cac38897d36abf2eb0cae9b469 5227 ruby optional rails_6.0.3.3+dfsg-1.dsc
 552a5075da4726bf1ce98783ad02085f 13966456 ruby optional rails_6.0.3.3+dfsg.orig.tar.xz
 b47778b4a6207be3c9615ee4b6977b45 97060 ruby optional rails_6.0.3.3+dfsg-1.debian.tar.xz
 2cd7921fb5e8591295b377b366290f69 34147 ruby optional rails_6.0.3.3+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl9bBJITHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLljDZD/4sTuyI444KVyIqXXjQsbZbqhUykbSe
nn8PSjh4IwL12ukPXwmMquZIw93q1lb+s7jCnkaSdcrI/TgERH307JBBYUo7Bd7q
EHHGaqcSXNs8DNmwly4we7LOFTY71Kr8FBx6n+BwdS7cNr7n/7ImACX2dXGZ1W/l
pbmQxITYvuN9ZFItlvZZHiYvCrEEOZrWNRtbYmSW/qq+ukaYp2wCSfTeRxEkWNiS
a5ecqwGZ5fDMuTPb5ey9Kbst0VFfPBA22/1f2+05PTgh933VmBpMJnsk0VSR9hOo
LYmY01oflcXL/RYrqePdZMXrH/w5+RvPxg4uhazcMXHN7AvhbwCSuXM7cznBt0rG
3DAtLd/I22REYRzmfq76x/SFLdh08XzjTqFLZBmNwq7vgBiBVIT0EJ/zy+R9MrJs
M+TPlmcve3acwprcIKLes1z6Ht3G7r/ZHCrrN7I4+torLbFwZbg4ty74Qt98go9y
kAmO6PhdZpDKOVpnclNQZZDXfMOI/eqiOatKHgR0LIDkEwnY4RVGskRx+ZGNZaPF
OiYHwtX7Hb4dhX++X4d5We7W/pgwrFXOC1R58HMwaGfp7LVoCl3Cf1+nm7wbbyOP
h0GPuZA5y+ISvUkNkPXZ+Ix8nhdOx6CBUVVmEYH6PD7ihYJNDfPibCukMmoJGLBZ
uv8xqbsivEzr4g==
=ALMx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Sep 11 05:34:46 2020; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started