Debian Bug report logs -
#914848
rails: CVE-2018-16477: Bypass vulnerability in Active Storage
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 27 Nov 2018 22:18:01 UTC
Severity: grave
Tags: security, upstream
Found in version rails/2:5.2.0+dfsg-1
Fixed in version rails/2:5.2.2+dfsg-1
Done: Sruthi Chandran <srud@disroot.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#914848
; Package src:rails
.
(Tue, 27 Nov 2018 22:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Tue, 27 Nov 2018 22:18:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rails
Version: 2:5.2.0+dfsg-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for rails, and only
affecting 5.2.0 version.
CVE-2018-16477[0]:
Bypass vulnerability in Active Storage
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16477
[1] https://www.openwall.com/lists/oss-security/2018/11/27/5
Regards,
Salvatore
Reply sent
to Sruthi Chandran <srud@disroot.org>
:
You have taken responsibility.
(Mon, 07 Jan 2019 06:39:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 07 Jan 2019 06:39:07 GMT) (full text, mbox, link).
Message #10 received at 914848-close@bugs.debian.org (full text, mbox, reply):
Source: rails
Source-Version: 2:5.2.2+dfsg-1
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 914848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sruthi Chandran <srud@disroot.org> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 07 Jan 2019 00:23:02 +0530
Source: rails
Binary: ruby-activesupport ruby-activerecord ruby-activemodel ruby-activejob ruby-actionview ruby-actionpack ruby-actionmailer ruby-actioncable ruby-activestorage ruby-railties ruby-rails rails
Architecture: source
Version: 2:5.2.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Sruthi Chandran <srud@disroot.org>
Description:
rails - MVC ruby based framework geared for web application development (
ruby-actioncable - WebSocket framework for Rails (part of Rails)
ruby-actionmailer - email composition, delivery, and receiving framework (part of Rai
ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part of R
ruby-actionview - framework for handling view template lookup and rendering (part o
ruby-activejob - job framework with pluggable queues
ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
ruby-activerecord - object-relational mapper framework (part of Rails)
ruby-activestorage - Local and cloud file storage framework (part of Rails)
ruby-activesupport - Support and utility classes used by the Rails 4.1 framework
ruby-rails - MVC ruby based framework geared for web application development
ruby-railties - tools for creating, working with, and running Rails applications
Closes: 914847 914848
Changes:
rails (2:5.2.2+dfsg-1) unstable; urgency=medium
.
* New upstream version 5.2.2 (Closes: #914847, #914848)
(Fixes: CVE-2018-16476, CVE-2018-16477)
* Delete 0002-edit-activestorage-webpack-config-js.patch
* Add 0002-disable-uglify-in-activestorage-rollup-config-js.patch
Checksums-Sha1:
a73d505257109845c897741d4cf6aa0d75422ec4 4198 rails_5.2.2+dfsg-1.dsc
917b7cd7dcaca3493a452c9f93cf4f7a68d2f9ec 6145456 rails_5.2.2+dfsg.orig.tar.xz
c7085920aa2d41814b6142855410a306237fbcc4 86824 rails_5.2.2+dfsg-1.debian.tar.xz
634f5073b7595f6a4db21af037a7dc3a2192e917 8568 rails_5.2.2+dfsg-1_source.buildinfo
Checksums-Sha256:
0d7de5c5a3e46c255e4305443035f2685a6922ebfcccf3cddb2ab71449077dad 4198 rails_5.2.2+dfsg-1.dsc
0a7d0ff57d2683804196cf39307dfe79bf7c85625b9f5fcfd2aae9a55e048663 6145456 rails_5.2.2+dfsg.orig.tar.xz
291579b00dd6910983c486a2d2f620f05d182f412819d81c7a632891ca458e9f 86824 rails_5.2.2+dfsg-1.debian.tar.xz
6f3eef98fe6772f953b686fa5ba97b409a17221e7c7f51445e265332201ab341 8568 rails_5.2.2+dfsg-1_source.buildinfo
Files:
cb76e43a7a61b95789269d283b1a9a1e 4198 ruby optional rails_5.2.2+dfsg-1.dsc
4fbd4b546a858a99856097177620e4c5 6145456 ruby optional rails_5.2.2+dfsg.orig.tar.xz
30e6287deba09b237ee37dd35fff31d0 86824 ruby optional rails_5.2.2+dfsg-1.debian.tar.xz
a8f13edd00be9d097c0bf5594ef536d3 8568 ruby optional rails_5.2.2+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlwyXeYACgkQzh+cZ0US
wiotnxAAnTxxMG0rfy6nJzsFNjEiM7HHJ4xkL+7luSFsY+8e46oseVnTCsf/PT18
zM3cqqS41qnOMudq0ntpWExOowdeO3nUIL/CMtvKXc4FC7EnV3FWzxG/vyZNRVlQ
8uf4oZ8fiTz0tLm7eVtfbakFlb83ZaQ1PiBI76tciXIQU/FC0YuoA995dHgNHmQr
vk7vE1LI9eZI/5hnqpbWqF6pb4sI3HsAy9STF0lz7KipqMdBeMYcTehdefRuhcTr
zLxaSj1LoKV011Pw2IJig2uc8SjivGhLo6ZX5RcHzTMzPzcTIRsYZCcG5/BQoIZO
+kBB3btE9D5BsDPxnDJsojHqKNBiFrrMWuiPCb0EJ2H1ZimkhFLBDy2Z7tv1rzax
qQYvSIJ1Uw0GHV5al25o/ru74QRLHPqdWq8LvU3ptfKfxu3E7obbPfH75Jmh9cYd
g1IADBBMN0L9forZN60/ql9NqN/dPq/0KiocWwljlhzlkPzTKY9sgc1GXqtU12pL
PWHQo12twowixl8sB1fTGBXOPGfS7Cx1PAm3Iq8p1GUkSqyOfI8R61DoTTq8HVaz
ESykkJadXcplzBi6XtsA1HtAcVrl97mcK1kBgliYIQQPg41Sqnof7UM5kc+EkkJz
YyR82ZxBzWNt4aasrTYiizXmGjVLJoFuCw+/K0nbYX+6Bla78uI=
=Az+E
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 05 Feb 2019 07:30:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:27:24 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.