Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

rails: CVE-2020-8185: Untrusted users able to run pending migrations in production

Related Vulnerabilities: CVE-2020-8185  

Source

Debian Bug report logs - #964081
rails: CVE-2020-8185: Untrusted users able to run pending migrations in production

version graph

Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 1 Jul 2020 11:15:02 UTC

Severity: grave

Tags: security, upstream

Found in version rails/2:6.0.3.1+dfsg-1

Fixed in version rails/2:6.0.3.2+dfsg-1

Done: Utkarsh Gupta <utkarsh@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#964081; Package src:rails. (Wed, 01 Jul 2020 11:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 01 Jul 2020 11:15:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rails: CVE-2020-8185: Untrusted users able to run pending migrations in production
Date: Wed, 01 Jul 2020 13:13:44 +0200
Source: rails
Version: 2:6.0.3.1+dfsg-1
Severity: grave
Tags: security upstream

Hi

For details please see
https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0

It only affects experimental. To make sure it does not migrate unfixed
to unstable, using an RC severity here.

Regards,
Salvatore

Reply sent to Utkarsh Gupta <utkarsh@debian.org>:
You have taken responsibility. (Wed, 01 Jul 2020 12:09:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 01 Jul 2020 12:09:03 GMT) (full text, mbox, link).

Message #10 received at 964081-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 964081-close@bugs.debian.org
Subject: Bug#964081: fixed in rails 2:6.0.3.2+dfsg-1
Date: Wed, 01 Jul 2020 12:05:03 +0000
Source: rails
Source-Version: 2:6.0.3.2+dfsg-1
Done: Utkarsh Gupta <utkarsh@debian.org>

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 964081@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <utkarsh@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Jul 2020 17:12:45 +0530
Source: rails
Architecture: source
Version: 2:6.0.3.2+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Closes: 964081
Changes:
 rails (2:6.0.3.2+dfsg-1) experimental; urgency=medium
 .
   * New upstream version 6.0.3.2+dfsg
     - Fixes CVE-2020-8185: Untrusted users able to run pending
       migrations in production (Closes: 964081)
   * Refresh d/patches
Checksums-Sha1:
 85379215adc881eb39727d5eef1c289ecd3c67cf 5246 rails_6.0.3.2+dfsg-1.dsc
 4fadc020c6598d215fa8c64b7d2cdc116940acd0 13966404 rails_6.0.3.2+dfsg.orig.tar.xz
 543757bfa422d2ef2caf43ad43af0c91727774c1 96416 rails_6.0.3.2+dfsg-1.debian.tar.xz
 01d976dc376237d49105392ff5b45d429653f2b3 41839 rails_6.0.3.2+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 458c3ccd68bca255391779fb9b889485906de7f808f0843d6c0346d727164d89 5246 rails_6.0.3.2+dfsg-1.dsc
 1e1fb1dcedba5daab17f69aa63d4f5c3e5bb027239f7d223cb960f7405afe20c 13966404 rails_6.0.3.2+dfsg.orig.tar.xz
 579f7407d3ba95deeca8528e3dd931da440fb04b147fbf23d98334d3e568cd0d 96416 rails_6.0.3.2+dfsg-1.debian.tar.xz
 f1d45340c6d136ee0e4e2aabeccd360680dd7b63b4cfbe68e8e49c8990ab8189 41839 rails_6.0.3.2+dfsg-1_amd64.buildinfo
Files:
 78fb749a9b404e8fd225ca7fcc01042f 5246 ruby optional rails_6.0.3.2+dfsg-1.dsc
 2333929498af59636aab238f9ec038e3 13966404 ruby optional rails_6.0.3.2+dfsg.orig.tar.xz
 bb531b28af168eaa83d0383fb1a4b96c 96416 ruby optional rails_6.0.3.2+dfsg-1.debian.tar.xz
 7f7ef66b865b3c648d49f25531f91e2e 41839 ruby optional rails_6.0.3.2+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl78eT0THHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlnPOEACjRSuHrkrg8bHVcAzFh6wGkyTragcQ
9lUUjEpoCi7z/Biy4dA+UYbKoac1jcLoIXTbCxit82M9sXHjRnOyfS3f6S6rONxo
KqEJJYd3m1YEiMvK5xoCoWHm2nWdYd1w+NUM7uJI3wu80znK6aQpd23xo8irURS4
EALP9+V1gsNtle9MGndW7ZLM2/qGy0N+tlRXeMwHoBx+GJdO1VW2rb2bvSYyCH7d
ycq/VOsiAa8/QwYSHzR7AhKvK/66LN/pYed8FW8Y5preM0k3aCOPKe1PcU8x4Bog
HVohnfcR8cvAGn7+qbox2fmGVO0ZnEdElmXkotcZ2T8hREfEZkiUXtaZFCj4F3pS
2GM3vWinzzdu60+PkN/dFDWSrJOC/gI3P5hZF5F6/8zJRK5aFSNb0I6yGGkM/V3B
APne5BTzIij7wyT0GnbAckw2lLF6tnb/Gmp6eOOWlIKbQ3Br/JFBh4nRz6FE7nK8
pmczSMa6gzfOALYq+TTpe2aDASNGWvPiHL9dGhWe7TD7kbvpJJR3mDXxG8hYJm1x
dnuaoALNJOCM3U94tJ6meA6uTlPYFok85FACkXPxComTC5LTsVOtacd77T4RCE7a
2jh+qqDhbEqCiipRYhe4q+1L1JBQXZ4yT/4tblWUfDWhW8gghffimt+hBF/irLkv
0Q6jdRpILmO+eQ==
=DciR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Jul 2 09:11:58 2020; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started