rails: CVE-2019-5420

Debian Bug report logs - #924521
rails: CVE-2019-5420

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: rails: CVE-2019-5420

Date: Wed, 13 Mar 2019 22:41:42 +0100

Source: rails
Version: 2:5.2.2+dfsg-6
Severity: important
Tags: security upstream
Control: found -1 2:5.2.2+dfsg-5

Hi,

The following vulnerability was published for rails.

CVE-2019-5420[0]:
Possible Remote Code Execution Exploit in Rails Development Mode

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-5420
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5420
[1] https://www.openwall.com/lists/oss-security/2019/03/13/3

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 924521-close@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <guptautkarsh4102@gmail.com>

To: 924521-close@bugs.debian.org

Subject: Bug#924521: fixed in rails 2:5.2.2.1+dfsg-1

Date: Tue, 19 Mar 2019 07:19:43 +0000

Source: rails
Source-Version: 2:5.2.2.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924521@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <guptautkarsh4102@gmail.com> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 17 Mar 2019 17:44:07 +0530
Source: rails
Binary: ruby-activesupport ruby-activerecord ruby-activemodel ruby-activejob ruby-actionview ruby-actionpack ruby-actionmailer ruby-actioncable ruby-activestorage ruby-railties ruby-rails rails
Architecture: source
Version: 2:5.2.2.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <guptautkarsh4102@gmail.com>
Description:
 rails      - MVC ruby based framework geared for web application development (
 ruby-actioncable - WebSocket framework for Rails (part of Rails)
 ruby-actionmailer - email composition, delivery, and receiving framework (part of Rai
 ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part of R
 ruby-actionview - framework for handling view template lookup and rendering (part o
 ruby-activejob - job framework with pluggable queues
 ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
 ruby-activerecord - object-relational mapper framework (part of Rails)
 ruby-activestorage - Local and cloud file storage framework (part of Rails)
 ruby-activesupport - Support and utility classes used by the Rails 4.1 framework
 ruby-rails - MVC ruby based framework geared for web application development
 ruby-railties - tools for creating, working with, and running Rails applications
Closes: 924520 924521
Changes:
 rails (2:5.2.2.1+dfsg-1) unstable; urgency=medium
 .
   * Team upload
   * New upstream version 5.2.2.1+dfsg (Closes: #924520, #924521)
     (Fixes: CVE-2019-5418 CVE-2019-5419, CVE-2019-5420)
   * Drop unused override
   * Remove duplicate Depends entry for rake
   * Add d/upstream/metadata
Checksums-Sha1:
 82bbdbf3e93b41cd78030a78fcc443e00187989c 4356 rails_5.2.2.1+dfsg-1.dsc
 89e94af74ee9bc3229d4e6ef1af562ccd3313662 6143580 rails_5.2.2.1+dfsg.orig.tar.xz
 d1bc7dff0a3945b4a0371131ab0d227677e17853 87400 rails_5.2.2.1+dfsg-1.debian.tar.xz
 68a1b4eb6d4d6446cc152ef679e6c606fbe94720 14812 rails_5.2.2.1+dfsg-1_source.buildinfo
Checksums-Sha256:
 908c7cc545b1ce8fb403a0b0762a729bd9ef282a65d08415372cfb9eee9781d9 4356 rails_5.2.2.1+dfsg-1.dsc
 152ca2e473cd10de7fe319e145fac7165368d136b115b37ac5f7e261dc98fa60 6143580 rails_5.2.2.1+dfsg.orig.tar.xz
 3c8d226f964c7d78d45f78c5d5f1096b6f170552cda33c6aca746a904fe7bebc 87400 rails_5.2.2.1+dfsg-1.debian.tar.xz
 7f4e43e33123d1cfc45ea954465b651d7e353c0d84b014fb275c63bd5bdedb54 14812 rails_5.2.2.1+dfsg-1_source.buildinfo
Files:
 43eceba1f04176e2247a13dd82cfd26b 4356 ruby optional rails_5.2.2.1+dfsg-1.dsc
 e7a6fc5e34aa81571b98d962770e290e 6143580 ruby optional rails_5.2.2.1+dfsg.orig.tar.xz
 f6530693693c1ae46075becd23947dac 87400 ruby optional rails_5.2.2.1+dfsg-1.debian.tar.xz
 70d6ea341a9a70070e2a429aa57aad2c 14812 ruby optional rails_5.2.2.1+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEsclPZxif+sAmSPvz1N6yL8C5bhUFAlyQk24ACgkQ1N6yL8C5
bhVpSQ//U7y+2AYXd/mMWBdhGYlsf8gOdCVI1sdTmGuJxnjteVlxENf9ccY5jhFv
0eXtXAzcLK1530PvkT819FqM0LS8MB8ePsQpwSQbmmYHQfwZAV1bPFh0neugUMGL
HKKB8D/iQrSRuzBJ/QiJlASns6d5E17N7L7Ji9e5XBS3OnX0TvO//HdNZJKSnmdp
M6ARfrJiml/naHdTcUIALZbFruTH+kXN1ilnmiEVsPDM1wrBVc8Z07ceVaLJhxlV
A7IErPwfr+7HkrbgfneByHYoAc1++b6anqS+nUqdnLEGj3PFFab1qycOJ8B4QlhH
mEUwhRjIfam9TLHzhUeLSym6T6Xr3msfHPN9geayFmG4fmM/7cJOMCg+H4O7fi8H
6ZQYSTRmOh6YymccX/07hA7TQD1IEiBZTZP04Y6AIf/9EqZ8BwDBm1143QWUNo2N
v/4noeOHnG5ohjQHkVeBUayBTy8QifOfAaNWtM7Ln9zhGffOlp1GPQHhbv5c8iK6
uAkIjSc8sJKlPiRzGg9XK0cnsvql63Kx1QSWRxsADlqv1u5h9n2CwVcX3IdG8Pb8
wB/k33yElaumzzOME8mDdD+kgn3/c5Uug1cf+D+sCXivVLY+h6itVIPqf4LIfiTK
TwRKlzbtDJm0pnGwwsDeDCfbNsv6dfMTuh9fMub7hpZhY25/fr0=
=Tm6t
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.