rails: CVE-2018-16477: Bypass vulnerability in Active Storage

Debian Bug report logs - #914848
rails: CVE-2018-16477: Bypass vulnerability in Active Storage

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: rails: CVE-2018-16477: Bypass vulnerability in Active Storage

Date: Tue, 27 Nov 2018 23:15:01 +0100

Source: rails
Version: 2:5.2.0+dfsg-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for rails, and only
affecting 5.2.0 version.

CVE-2018-16477[0]:
Bypass vulnerability in Active Storage

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16477
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16477
[1] https://www.openwall.com/lists/oss-security/2018/11/27/5

Regards,
Salvatore

Message #10 received at 914848-close@bugs.debian.org (full text, mbox, reply):

From: Sruthi Chandran <srud@disroot.org>

To: 914848-close@bugs.debian.org

Subject: Bug#914848: fixed in rails 2:5.2.2+dfsg-1

Date: Mon, 07 Jan 2019 06:35:07 +0000

Source: rails
Source-Version: 2:5.2.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 914848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sruthi Chandran <srud@disroot.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 07 Jan 2019 00:23:02 +0530
Source: rails
Binary: ruby-activesupport ruby-activerecord ruby-activemodel ruby-activejob ruby-actionview ruby-actionpack ruby-actionmailer ruby-actioncable ruby-activestorage ruby-railties ruby-rails rails
Architecture: source
Version: 2:5.2.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Sruthi Chandran <srud@disroot.org>
Description:
 rails      - MVC ruby based framework geared for web application development (
 ruby-actioncable - WebSocket framework for Rails (part of Rails)
 ruby-actionmailer - email composition, delivery, and receiving framework (part of Rai
 ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part of R
 ruby-actionview - framework for handling view template lookup and rendering (part o
 ruby-activejob - job framework with pluggable queues
 ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
 ruby-activerecord - object-relational mapper framework (part of Rails)
 ruby-activestorage - Local and cloud file storage framework (part of Rails)
 ruby-activesupport - Support and utility classes used by the Rails 4.1 framework
 ruby-rails - MVC ruby based framework geared for web application development
 ruby-railties - tools for creating, working with, and running Rails applications
Closes: 914847 914848
Changes:
 rails (2:5.2.2+dfsg-1) unstable; urgency=medium
 .
   * New upstream version 5.2.2 (Closes: #914847, #914848)
     (Fixes: CVE-2018-16476, CVE-2018-16477)
   * Delete 0002-edit-activestorage-webpack-config-js.patch
   * Add 0002-disable-uglify-in-activestorage-rollup-config-js.patch
Checksums-Sha1:
 a73d505257109845c897741d4cf6aa0d75422ec4 4198 rails_5.2.2+dfsg-1.dsc
 917b7cd7dcaca3493a452c9f93cf4f7a68d2f9ec 6145456 rails_5.2.2+dfsg.orig.tar.xz
 c7085920aa2d41814b6142855410a306237fbcc4 86824 rails_5.2.2+dfsg-1.debian.tar.xz
 634f5073b7595f6a4db21af037a7dc3a2192e917 8568 rails_5.2.2+dfsg-1_source.buildinfo
Checksums-Sha256:
 0d7de5c5a3e46c255e4305443035f2685a6922ebfcccf3cddb2ab71449077dad 4198 rails_5.2.2+dfsg-1.dsc
 0a7d0ff57d2683804196cf39307dfe79bf7c85625b9f5fcfd2aae9a55e048663 6145456 rails_5.2.2+dfsg.orig.tar.xz
 291579b00dd6910983c486a2d2f620f05d182f412819d81c7a632891ca458e9f 86824 rails_5.2.2+dfsg-1.debian.tar.xz
 6f3eef98fe6772f953b686fa5ba97b409a17221e7c7f51445e265332201ab341 8568 rails_5.2.2+dfsg-1_source.buildinfo
Files:
 cb76e43a7a61b95789269d283b1a9a1e 4198 ruby optional rails_5.2.2+dfsg-1.dsc
 4fbd4b546a858a99856097177620e4c5 6145456 ruby optional rails_5.2.2+dfsg.orig.tar.xz
 30e6287deba09b237ee37dd35fff31d0 86824 ruby optional rails_5.2.2+dfsg-1.debian.tar.xz
 a8f13edd00be9d097c0bf5594ef536d3 8568 ruby optional rails_5.2.2+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlwyXeYACgkQzh+cZ0US
wiotnxAAnTxxMG0rfy6nJzsFNjEiM7HHJ4xkL+7luSFsY+8e46oseVnTCsf/PT18
zM3cqqS41qnOMudq0ntpWExOowdeO3nUIL/CMtvKXc4FC7EnV3FWzxG/vyZNRVlQ
8uf4oZ8fiTz0tLm7eVtfbakFlb83ZaQ1PiBI76tciXIQU/FC0YuoA995dHgNHmQr
vk7vE1LI9eZI/5hnqpbWqF6pb4sI3HsAy9STF0lz7KipqMdBeMYcTehdefRuhcTr
zLxaSj1LoKV011Pw2IJig2uc8SjivGhLo6ZX5RcHzTMzPzcTIRsYZCcG5/BQoIZO
+kBB3btE9D5BsDPxnDJsojHqKNBiFrrMWuiPCb0EJ2H1ZimkhFLBDy2Z7tv1rzax
qQYvSIJ1Uw0GHV5al25o/ru74QRLHPqdWq8LvU3ptfKfxu3E7obbPfH75Jmh9cYd
g1IADBBMN0L9forZN60/ql9NqN/dPq/0KiocWwljlhzlkPzTKY9sgc1GXqtU12pL
PWHQo12twowixl8sB1fTGBXOPGfS7Cx1PAm3Iq8p1GUkSqyOfI8R61DoTTq8HVaz
ESykkJadXcplzBi6XtsA1HtAcVrl97mcK1kBgliYIQQPg41Sqnof7UM5kc+EkkJz
YyR82ZxBzWNt4aasrTYiizXmGjVLJoFuCw+/K0nbYX+6Bla78uI=
=Az+E
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.