Debian Bug report logs -
#790486
rails: CVE-2015-3226: XSS in ActiveSupport::JSON.encode
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 29 Jun 2015 18:36:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version rails/2:4.1.8-1
Fixed in versions rails/2:4.1.8-1+deb8u1, rails/2:4.2.3-1
Done: Antonio Terceiro <terceiro@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#790486
; Package src:rails
.
(Mon, 29 Jun 2015 18:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Mon, 29 Jun 2015 18:36:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rails
Version: 2:4.1.8-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for rails.
CVE-2015-3226[0]:
XSS Vulnerability in ActiveSupport::JSON.encode
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3226
[1] http://seclists.org/oss-sec/2015/q2/732
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Antonio Terceiro <terceiro@debian.org>
:
You have taken responsibility.
(Tue, 02 Feb 2016 21:36:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 02 Feb 2016 21:36:05 GMT) (full text, mbox, link).
Message #10 received at 790486-close@bugs.debian.org (full text, mbox, reply):
Source: rails
Source-Version: 2:4.1.8-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 790486@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 28 Jan 2016 11:12:33 -0200
Source: rails
Binary: ruby-activesupport ruby-activesupport-2.3 ruby-activerecord ruby-activemodel ruby-actionview ruby-actionpack ruby-actionmailer ruby-railties ruby-rails rails
Architecture: source all
Version: 2:4.1.8-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
rails - MVC ruby based framework geared for web application development (
ruby-actionmailer - email composition, delivery, and receiving framework (part of Rai
ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part of R
ruby-actionview - framework for handling view template lookup and rendering (part o
ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
ruby-activerecord - object-relational mapper framework (part of Rails)
ruby-activesupport - Support and utility classes used by the Rails 4.1 framework
ruby-activesupport-2.3 - transitional dummy package
ruby-rails - MVC ruby based framework geared for web application development
ruby-railties - tools for creating, working with, and running Rails applications
Closes: 790486 790487
Changes:
rails (2:4.1.8-1+deb8u1) jessie-security; urgency=high
.
* Security updates:
- [CVE-2015-3227] Possible Denial of Service attack in Active Support
(Closes: #790487)
- [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode
(Closes: #790486)
- [CVE-2015-7576] Timing attack vulnerability in basic authentication in
Action Controller.
- [CVE-2016-0751] Possible Object Leak and Denial of Service attack in
Action Pack
- [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.
- [CVE-2016-0752] Possible Information Leak Vulnerability in Action View
- [CVE-2016-0753] Possible Input Validation Circumvention in Active Model
- [CVE-2015-7581] Object leak vulnerability for wildcard controller routes
in Action Pack
Checksums-Sha1:
5af0f3af8581c2351ea1d17f839ad50267ffa30a 2571 rails_4.1.8-1+deb8u1.dsc
b9b860ebcc29bc0e208c1eec50842db9bb92765b 3711426 rails_4.1.8.orig.tar.gz
694f990cbe66eb9e71fe5b472a4173ef9a79b55a 96348 rails_4.1.8-1+deb8u1.debian.tar.xz
a87d5fd188153e868b50b15f03d4e8a7636ac783 207146 ruby-activesupport_4.1.8-1+deb8u1_all.deb
a7e42fef7dbd89058e501c01e104ee2a52e420a9 11240 ruby-activesupport-2.3_4.1.8-1+deb8u1_all.deb
e5c48f45290ab0b14a65dc8db8a4dd80afa9b4ae 268258 ruby-activerecord_4.1.8-1+deb8u1_all.deb
b70225fe51f918dfe668be5d527e71a82b09ca86 48498 ruby-activemodel_4.1.8-1+deb8u1_all.deb
8a1f20fc1d907fb25ca7810f47fcc2be36b8b323 141166 ruby-actionview_4.1.8-1+deb8u1_all.deb
35ff79de09f5ff7412864597c5258bafcda78c37 169578 ruby-actionpack_4.1.8-1+deb8u1_all.deb
49702140b6de57235ad97834eaf0ddfb5fdca827 31464 ruby-actionmailer_4.1.8-1+deb8u1_all.deb
9321fe13c60dd7f21dc948a4b6f80300079807ec 118956 ruby-railties_4.1.8-1+deb8u1_all.deb
8ac15713231e210e9c70704f6d3d95583048ee74 16294 ruby-rails_4.1.8-1+deb8u1_all.deb
552bee75f73832a73c52f064f8946402ab9b18b4 11502 rails_4.1.8-1+deb8u1_all.deb
Checksums-Sha256:
c97cea8875033299dd7aed692720ac5d480f947564a947ab1f1be9b7d5046ae5 2571 rails_4.1.8-1+deb8u1.dsc
419e7cdd8e7fd2b2d45d3a37fb37f01b70ada51db77ca116f83636711d845814 3711426 rails_4.1.8.orig.tar.gz
675e009ceb2b184b0f66da05c7b74c5c322d72cd51d3a4559ec0e5052ce94cc5 96348 rails_4.1.8-1+deb8u1.debian.tar.xz
5031053aa135539aa2d0e4fc75d8702ed719bafec35bd270d6506642371ec811 207146 ruby-activesupport_4.1.8-1+deb8u1_all.deb
3883dc073d2a5be3e94c0b27141396c15fa74496f4d08b1bc815299c2e218871 11240 ruby-activesupport-2.3_4.1.8-1+deb8u1_all.deb
8d7e22b4f3d3a304f2aa421ab6bf79ea280d644479c6a57c2be6d7e0d6dd1539 268258 ruby-activerecord_4.1.8-1+deb8u1_all.deb
47fd5d59a20e9e536609d1e35fd2fbae156b14f51b8e3dd3387dade47a93b830 48498 ruby-activemodel_4.1.8-1+deb8u1_all.deb
9a93f76f2bc070639fb7f89dfac77a3d91360c35399e41bf839e24f71384922e 141166 ruby-actionview_4.1.8-1+deb8u1_all.deb
fe39ad3834008dddd42fe550b1bcbdcc329f49da10762e818559e3aa331795f1 169578 ruby-actionpack_4.1.8-1+deb8u1_all.deb
26b56ab03e644c807bdc66cb4efa1627723a91d4535f468c1166f624dce4431f 31464 ruby-actionmailer_4.1.8-1+deb8u1_all.deb
c3a8b033179bf8f9146fb2225a96a17840b90b02c3cd9af3fd89c8d1d46b90a1 118956 ruby-railties_4.1.8-1+deb8u1_all.deb
40fc6d7bac67be29f115babfe01f93a32d10da957bc5fe9c95aa12a3a4535aa3 16294 ruby-rails_4.1.8-1+deb8u1_all.deb
928c336e7436ea034440181f353308021084fdb2b4d0c025368a5bad6e1bb012 11502 rails_4.1.8-1+deb8u1_all.deb
Files:
ea91e053e81a3e2e6a41fa52a67c835c 2571 ruby optional rails_4.1.8-1+deb8u1.dsc
0b118bca039a4beddbdafa128b7d85e6 3711426 ruby optional rails_4.1.8.orig.tar.gz
025da188c2bbc56660835737289a9c63 96348 ruby optional rails_4.1.8-1+deb8u1.debian.tar.xz
70dfd4b8d2291ef9d5a15a032e2e5956 207146 ruby optional ruby-activesupport_4.1.8-1+deb8u1_all.deb
3c99bd0e7b5f175847ed7eb46ffa14b0 11240 ruby optional ruby-activesupport-2.3_4.1.8-1+deb8u1_all.deb
82a4a5ebb0b4ba69d655f2f0d3426752 268258 ruby optional ruby-activerecord_4.1.8-1+deb8u1_all.deb
4c1dfc594a0d954aa0fafe31dc9ca89e 48498 ruby optional ruby-activemodel_4.1.8-1+deb8u1_all.deb
f80245223a1d181171ef20c92fe8ec46 141166 ruby optional ruby-actionview_4.1.8-1+deb8u1_all.deb
868bed01c90cebaa69bf3e967f5db8c5 169578 ruby optional ruby-actionpack_4.1.8-1+deb8u1_all.deb
50a341526247ec4a5be2958d116550c8 31464 ruby optional ruby-actionmailer_4.1.8-1+deb8u1_all.deb
a75650b061b56d14ab66f5293b877be7 118956 ruby optional ruby-railties_4.1.8-1+deb8u1_all.deb
351b14998e57d1cfd19cbfeec0ab665b 16294 ruby optional ruby-rails_4.1.8-1+deb8u1_all.deb
b6acf788198595d4a053324775704cbf 11502 ruby optional rails_4.1.8-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWqmZNAAoJEPwNsbvNRgvecfMP/i0rEpEoOnS832yNHahBuPpT
UMVfdSO7NnvGpQYXoYczo/IRFVoyon3a3H2mw54ZszrGWi5tlzenKmJLYaCvSJeu
oip8Qr31SDaMuMz5/IAyVxOSCoEjpW/N+yj6B4bwTaTy8hWZKC2jx1KZ6zq5+9hj
bfST/a94ouqk9/O0rJie2DSEGUu32hZ8gLFbYYG/tA0bWTxedD6HCuVwfttqVjCw
hMV7wdi2iRIuJEtL2YPD1FPDj3oneZ4w0Dw3uvqe5YORe+wejpBA9PPjOa3ACZKn
9MVXohCo1AYfKSo2/cL7jDI1AuMXCDwYooZw6HjtDvpWOAz4ctYZScUsIjhS9LZk
te4x49UBx44s5WZwQMzmyDalQsEQUtspGFvcbjhdOjDL7Y+zM88IFxM6H8JiLcb/
68Rb+pl+JevC9QxAc413G6eNJqF9CRKxWOBIHg+9CNoo2nHkPezmd3c8KDUKBbJP
x9yJX/TuqcKNr84qTuV4BdI7yA4jxSrhedU0PjzILCzgg6UQqsInJBx9jndLh9wt
ndMxJ+GAeo96RUBBeBS7otSsyvKpjyO7InXr30aGlHoeDfxQmWRZozeUbqKA3kBj
jKLWY30ZybJXyTcIQvne7Uo7COtqJNXjhuP3oWc0/gSKIg4R4Qx7MGS9vRBpQbt7
mJ94B0QUKEfuKxpRJaru
=qMzv
-----END PGP SIGNATURE-----
Marked as fixed in versions rails/2:4.2.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 06 Feb 2016 10:12:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 04 Apr 2016 07:37:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:00:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.