Debian Bug report logs -
#914847
rails: CVE-2018-16476: Broken Access Control vulnerability in Active Job
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 27 Nov 2018 22:09:05 UTC
Severity: important
Tags: patch, security, upstream
Found in versions rails/2:4.2.7.1-1, rails/2:4.2.10-1
Fixed in versions rails/2:5.2.2+dfsg-1, rails/2:4.2.7.1-1+deb9u1
Done: Moritz Mühlenhoff <jmm@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#914847; Package src:rails.
(Tue, 27 Nov 2018 22:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Tue, 27 Nov 2018 22:09:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rails
Version: 2:4.2.7.1-1
Severity: important
Tags: patch security upstream
Control: found -1 2:4.2.10-1
Hi,
The following vulnerability was published for rails.
CVE-2018-16476[0]:
Broken Access Control vulnerability in Active Job
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16476
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16476
[1] https://www.openwall.com/lists/oss-security/2018/11/27/4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions rails/2:4.2.10-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 27 Nov 2018 22:09:07 GMT) (full text, mbox, link).
Reply sent
to Sruthi Chandran <srud@disroot.org>:
You have taken responsibility.
(Mon, 07 Jan 2019 06:39:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 07 Jan 2019 06:39:05 GMT) (full text, mbox, link).
Message #12 received at 914847-close@bugs.debian.org (full text, mbox, reply):
Source: rails
Source-Version: 2:5.2.2+dfsg-1
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 914847@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sruthi Chandran <srud@disroot.org> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 07 Jan 2019 00:23:02 +0530
Source: rails
Binary: ruby-activesupport ruby-activerecord ruby-activemodel ruby-activejob ruby-actionview ruby-actionpack ruby-actionmailer ruby-actioncable ruby-activestorage ruby-railties ruby-rails rails
Architecture: source
Version: 2:5.2.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Sruthi Chandran <srud@disroot.org>
Description:
rails - MVC ruby based framework geared for web application development (
ruby-actioncable - WebSocket framework for Rails (part of Rails)
ruby-actionmailer - email composition, delivery, and receiving framework (part of Rai
ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part of R
ruby-actionview - framework for handling view template lookup and rendering (part o
ruby-activejob - job framework with pluggable queues
ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
ruby-activerecord - object-relational mapper framework (part of Rails)
ruby-activestorage - Local and cloud file storage framework (part of Rails)
ruby-activesupport - Support and utility classes used by the Rails 4.1 framework
ruby-rails - MVC ruby based framework geared for web application development
ruby-railties - tools for creating, working with, and running Rails applications
Closes: 914847 914848
Changes:
rails (2:5.2.2+dfsg-1) unstable; urgency=medium
.
* New upstream version 5.2.2 (Closes: #914847, #914848)
(Fixes: CVE-2018-16476, CVE-2018-16477)
* Delete 0002-edit-activestorage-webpack-config-js.patch
* Add 0002-disable-uglify-in-activestorage-rollup-config-js.patch
Checksums-Sha1:
a73d505257109845c897741d4cf6aa0d75422ec4 4198 rails_5.2.2+dfsg-1.dsc
917b7cd7dcaca3493a452c9f93cf4f7a68d2f9ec 6145456 rails_5.2.2+dfsg.orig.tar.xz
c7085920aa2d41814b6142855410a306237fbcc4 86824 rails_5.2.2+dfsg-1.debian.tar.xz
634f5073b7595f6a4db21af037a7dc3a2192e917 8568 rails_5.2.2+dfsg-1_source.buildinfo
Checksums-Sha256:
0d7de5c5a3e46c255e4305443035f2685a6922ebfcccf3cddb2ab71449077dad 4198 rails_5.2.2+dfsg-1.dsc
0a7d0ff57d2683804196cf39307dfe79bf7c85625b9f5fcfd2aae9a55e048663 6145456 rails_5.2.2+dfsg.orig.tar.xz
291579b00dd6910983c486a2d2f620f05d182f412819d81c7a632891ca458e9f 86824 rails_5.2.2+dfsg-1.debian.tar.xz
6f3eef98fe6772f953b686fa5ba97b409a17221e7c7f51445e265332201ab341 8568 rails_5.2.2+dfsg-1_source.buildinfo
Files:
cb76e43a7a61b95789269d283b1a9a1e 4198 ruby optional rails_5.2.2+dfsg-1.dsc
4fbd4b546a858a99856097177620e4c5 6145456 ruby optional rails_5.2.2+dfsg.orig.tar.xz
30e6287deba09b237ee37dd35fff31d0 86824 ruby optional rails_5.2.2+dfsg-1.debian.tar.xz
a8f13edd00be9d097c0bf5594ef536d3 8568 ruby optional rails_5.2.2+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlwyXeYACgkQzh+cZ0US
wiotnxAAnTxxMG0rfy6nJzsFNjEiM7HHJ4xkL+7luSFsY+8e46oseVnTCsf/PT18
zM3cqqS41qnOMudq0ntpWExOowdeO3nUIL/CMtvKXc4FC7EnV3FWzxG/vyZNRVlQ
8uf4oZ8fiTz0tLm7eVtfbakFlb83ZaQ1PiBI76tciXIQU/FC0YuoA995dHgNHmQr
vk7vE1LI9eZI/5hnqpbWqF6pb4sI3HsAy9STF0lz7KipqMdBeMYcTehdefRuhcTr
zLxaSj1LoKV011Pw2IJig2uc8SjivGhLo6ZX5RcHzTMzPzcTIRsYZCcG5/BQoIZO
+kBB3btE9D5BsDPxnDJsojHqKNBiFrrMWuiPCb0EJ2H1ZimkhFLBDy2Z7tv1rzax
qQYvSIJ1Uw0GHV5al25o/ru74QRLHPqdWq8LvU3ptfKfxu3E7obbPfH75Jmh9cYd
g1IADBBMN0L9forZN60/ql9NqN/dPq/0KiocWwljlhzlkPzTKY9sgc1GXqtU12pL
PWHQo12twowixl8sB1fTGBXOPGfS7Cx1PAm3Iq8p1GUkSqyOfI8R61DoTTq8HVaz
ESykkJadXcplzBi6XtsA1HtAcVrl97mcK1kBgliYIQQPg41Sqnof7UM5kc+EkkJz
YyR82ZxBzWNt4aasrTYiizXmGjVLJoFuCw+/K0nbYX+6Bla78uI=
=Az+E
-----END PGP SIGNATURE-----
Reply sent
to Moritz Mühlenhoff <jmm@debian.org>:
You have taken responsibility.
(Sat, 20 Apr 2019 21:48:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 20 Apr 2019 21:48:08 GMT) (full text, mbox, link).
Message #17 received at 914847-close@bugs.debian.org (full text, mbox, reply):
Source: rails
Source-Version: 2:4.2.7.1-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 914847@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Apr 2019 20:48:13 +0200
Source: rails
Binary: ruby-activesupport ruby-activerecord ruby-activemodel ruby-activejob ruby-actionview ruby-actionpack ruby-actionmailer ruby-railties ruby-rails rails
Architecture: source all
Version: 2:4.2.7.1-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
rails - MVC ruby based framework geared for web application development (
ruby-actionmailer - email composition, delivery, and receiving framework (part of Rai
ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part of R
ruby-actionview - framework for handling view template lookup and rendering (part o
ruby-activejob - job framework with pluggable queues
ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
ruby-activerecord - object-relational mapper framework (part of Rails)
ruby-activesupport - Support and utility classes used by the Rails 4.1 framework
ruby-rails - MVC ruby based framework geared for web application development
ruby-railties - tools for creating, working with, and running Rails applications
Closes: 914847 924520
Changes:
rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium
.
* CVE-2018-16476 (Closes: #914847)
* CVE-2019-5418 / CVE-2019-5419 (Closes: #924520)
Checksums-Sha1:
6c5b883626daa29713ae29fd646965093cf4b9ab 3519 rails_4.2.7.1-1+deb9u1.dsc
2f93a5d884f7fdaa9d459932607e0d59caca86f6 93484 rails_4.2.7.1-1+deb9u1.debian.tar.xz
856a9cbef04f489b236ecab79e7714470e64302b 13220 rails_4.2.7.1-1+deb9u1_all.deb
f192259803b85e934cfc519c09e1dff414f1c5fb 11209 rails_4.2.7.1-1+deb9u1_amd64.buildinfo
b0fbe0ac83d6764fbc03b75a089b87c8bb6a7d07 35626 ruby-actionmailer_4.2.7.1-1+deb9u1_all.deb
c7c6495dae4023226871dbeec7389d0f883f8e88 168206 ruby-actionpack_4.2.7.1-1+deb9u1_all.deb
301925a53c4c83906b29df5e52359b8bd5c03df5 131314 ruby-actionview_4.2.7.1-1+deb9u1_all.deb
ea8c906c10e1901565b1a2791a55c1eb4544cb8a 27970 ruby-activejob_4.2.7.1-1+deb9u1_all.deb
154b8d7ffe7171779bb20f99d985dfa9b56c1df6 51178 ruby-activemodel_4.2.7.1-1+deb9u1_all.deb
01772fb1ae8931925218d541d7e8d9ee902ec5ea 281984 ruby-activerecord_4.2.7.1-1+deb9u1_all.deb
7b47f4e6a376319fae11b1baf405f4a31b759ed1 210208 ruby-activesupport_4.2.7.1-1+deb9u1_all.deb
dd74f3b65119b6dd831f9361a578098dd24c6567 18036 ruby-rails_4.2.7.1-1+deb9u1_all.deb
a5f5faa4a3d7bdaf4cbc2e19c211e187b226945c 122786 ruby-railties_4.2.7.1-1+deb9u1_all.deb
Checksums-Sha256:
cfe39e212570bd00350b4e243a51db9f991416fc9fe1bc0c140271e253065e8c 3519 rails_4.2.7.1-1+deb9u1.dsc
806f75751ac63ec313ec3455159ee1ce0b1e9f313597362284eae9256a0b47d8 93484 rails_4.2.7.1-1+deb9u1.debian.tar.xz
e88443d4201900e1206049efb808c8beb95f282e95b4a6312db3a98dd5da6b99 13220 rails_4.2.7.1-1+deb9u1_all.deb
ec318d02128fc7f18520d63cd19a1a4a8d7ee814a644698bde854ac9eaa8738f 11209 rails_4.2.7.1-1+deb9u1_amd64.buildinfo
8aab0d06a9504a27193eafcda67afde6ba2fe003ecb2e4fd67266042f0273ad8 35626 ruby-actionmailer_4.2.7.1-1+deb9u1_all.deb
47f69d40821da400b167918b5750d0ceafd2c14f2e9660ebff63b0fe6df7eb32 168206 ruby-actionpack_4.2.7.1-1+deb9u1_all.deb
f1c2e3c575244222774f46538b72ec0060b3fe851febeedf4942ca52309264ab 131314 ruby-actionview_4.2.7.1-1+deb9u1_all.deb
aa896971c7458247dcc7b494aa4b93789f4b8c2c6a12a54d08d5718d9c8dce00 27970 ruby-activejob_4.2.7.1-1+deb9u1_all.deb
b23959074da9989963561c123bef31e7e3a45d7f58cddc02773674d49ec12fee 51178 ruby-activemodel_4.2.7.1-1+deb9u1_all.deb
a9e3fc9012d41e1ebd15310efa3a0c01c8b1c747ac9c857abc85baf0ab8c3895 281984 ruby-activerecord_4.2.7.1-1+deb9u1_all.deb
1f9abc226a8a85711dceab5ffb8f7240aa080df9656963921dccb68529906d3b 210208 ruby-activesupport_4.2.7.1-1+deb9u1_all.deb
6a8ef41d281e49287c4376494c5f2908f27001f23c2a11268313f007c0872661 18036 ruby-rails_4.2.7.1-1+deb9u1_all.deb
ac1d58d263c67d72f84f8782e4b2a7764527a62c13c8044a7380a65f8fd556dd 122786 ruby-railties_4.2.7.1-1+deb9u1_all.deb
Files:
917f23a1fe072d4496538b71dbcce753 3519 ruby optional rails_4.2.7.1-1+deb9u1.dsc
4b9c58ead5bb272cc8546378086cd3db 93484 ruby optional rails_4.2.7.1-1+deb9u1.debian.tar.xz
ec323084040a3ac9921e86d22da8fa72 13220 ruby optional rails_4.2.7.1-1+deb9u1_all.deb
3e048fa857ccabbef374ef103ebe309f 11209 ruby optional rails_4.2.7.1-1+deb9u1_amd64.buildinfo
718ce53c7740e63e819f74c93be62fd1 35626 ruby optional ruby-actionmailer_4.2.7.1-1+deb9u1_all.deb
e8b47e7ec1f2c82784448b34b9d4159d 168206 ruby optional ruby-actionpack_4.2.7.1-1+deb9u1_all.deb
5ce82351a06e9e27f33624a06a77ceea 131314 ruby optional ruby-actionview_4.2.7.1-1+deb9u1_all.deb
979aa93b73abb542a69bb0c766bbd180 27970 ruby optional ruby-activejob_4.2.7.1-1+deb9u1_all.deb
52a50bec5d5ccf47dde02d8c3d387b86 51178 ruby optional ruby-activemodel_4.2.7.1-1+deb9u1_all.deb
5f9f140518ab3bd6015e0396e3478494 281984 ruby optional ruby-activerecord_4.2.7.1-1+deb9u1_all.deb
30aeee81949b849c746064c3e5032aa9 210208 ruby optional ruby-activesupport_4.2.7.1-1+deb9u1_all.deb
96354952ed6d7a985599fa5dd10353a5 18036 ruby optional ruby-rails_4.2.7.1-1+deb9u1_all.deb
bc45eccfb41d26a865d155ea9a3f9e67 122786 ruby optional ruby-railties_4.2.7.1-1+deb9u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAly5zqUACgkQEMKTtsN8
TjZ0zw//XmlWrXEWyQAI/rjFKYdyfTAgbmhKokGqY0OTGxEJPzLXy0h8vkcOBDU7
oso+pSy8zUdzHMoU+tuXzTkyukz1ZLh99xLiytyHOepxnDXp0aTRFUCsKyfh9Kt+
iac02BtQzSJbRtPwPHKeDs+rJihoFHOCZF05VTaDLYLBOyZOtOYzhWxNBXZD1GYC
6mM1PNBA4tD13PvrDUKC+trVlogsf+EpUGNBUIiUhr+CUypP0YdSlelYD5f6fOBI
dkafyRJAaJ/MM+YhWlCj4EGB5evz98uor4ibNX1i88K3m0LMEUB/6CGfsiE8ZSuB
jPAJkCMFUrLAxWRunG33gMceTuFu7zOzkShXP7tRVuf/l08GXyChFIEhgmcEJ4YH
5p/EqvQooyBd+DIkI8b9Uu3BDvFrB/6mMN3MbzzcuP95OZZU6GmXXnBgrj840zgJ
80MIB9q/vEmbaa/174t7vHAwRH2O8K0Lo0FrQiNSPUzvtBmf+bFN5TnyUihy+LuF
OymNgR2bIllWt4QQZYMqtuSnZI1IbimbHdMfXGkDXRkl5fZ+7c00xPFnFAT2un2I
0w0UQWenF5OSb4e9c1lv6T13TiKcMcFhYe6ljTpilEwg9jw2p/q7SilKjauV/6o6
SZatlbKlW/gT31we26N3YpRl5VLSNK1c9TYl1GwdqFT4kF16JBE=
=wBJD
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 19 May 2019 07:26:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:42:37 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon