[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 604-1] ruby-actionpack-3.2 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : ruby-actionpack-3.2
Version        : 3.2.6-6+deb7u3
CVE ID         : CVE-2015-7576 CVE-2016-0751 CVE-2016-0752 CVE-2016-2097 
                 CVE-2016-2098 CVE-2016-6316

Multiple vulnerabilities have been discovered in ruby-actionpack-3.2, a
web-flow and rendering framework and part of Rails:

CVE-2015-7576

  A flaw was found in the way the Action Controller component compared
  user names and passwords when performing HTTP basic
  authentication. Time taken to compare strings could differ depending
  on input, possibly allowing a remote attacker to determine valid user
  names and passwords using a timing attack.

CVE-2016-0751

  A flaw was found in the way the Action Pack component performed MIME
  type lookups. Since queries were cached in a global cache of MIME
  types, an attacker could use this flaw to grow the cache indefinitely,
  potentially resulting in a denial of service.

CVE-2016-0752

  A directory traversal flaw was found in the way the Action View
  component searched for templates for rendering. If an application
  passed untrusted input to the 'render' method, a remote,
  unauthenticated attacker could use this flaw to render unexpected
  files and, possibly, execute arbitrary code.

CVE-2016-2097

  Crafted requests to Action View might result in rendering files from
  arbitrary locations, including files beyond the application's view
  directory. This vulnerability is the result of an incomplete fix of
  CVE-2016-0752.  This bug was found by Jyoti Singh and Tobias Kraze
  from Makandra.

CVE-2016-2098

   If a web applications does not properly sanitize user inputs, an
   attacker might control the arguments of the render method in a
   controller or a view, resulting in the possibility of executing
   arbitrary ruby code.  This bug was found by Tobias Kraze from
   Makandra and joernchen of Phenoelit.

CVE-2016-6316

  Andrew Carpenter of Critical Juncture discovered a cross-site
  scripting vulnerability affecting Action View. Text declared as "HTML
  safe" will not have quotes escaped when used as attribute values in
  tag helpers.

For Debian 7 "Wheezy", these problems have been fixed in version
3.2.6-6+deb7u3.

We recommend that you upgrade your ruby-actionpack-3.2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJXwyoKAAoJEAe4t7DqmBILmR0P/1ej8OsYXHNwoRtkTUKdVCeH
EBXJJA712GMyx93CvP9EjD7XkGvaCPtUKxpOq3Ch7IdGo5txLh7u13ayaKVi65ir
2LHovee6AXh08Y9g3f5svIDnsK8xwVp4O1aSTPI/JY+PwXJ6fp3jK2KOss1+euOI
x0hqmuvxCf9xjA84CAOf2zDJUiT/NECGf5EVUFOi98gkXU1MoKyh/FCy3XquSq8K
Pmlp/Vxh/Ircyw6b+5b8vepbmUt1+tFlFpyXYGozpXZ/qx8B2o9F+e++J68QXF8n
xQQeXroCdnCCaNV03FnUf+5IsDgV99UUETrQ70+dyW9RLtxNbu05yffySp2tsuNs
Zzgc4BXCf4y4ncFAZf+hrTYNRzMDGz/tEg3qH9KpWgTegCsXrIHQ0KqCfhAx+Vth
8laPsaQLGV6lu0aCPgicZS0J6jCn/nVMsbMgqoCHnZszL6gTLiSUMsybq6XbLqhQ
a930O+q/+1yib1LaI+p7wJhB1bl1u0QTfA68jSakMO3MAXDozM1QTtPhxQMjoUoQ
C/Wa/kXkRDzgjBPVQ3tV5F+AiaZ228QidoFMa+KocYiJrl/kxLzvvwS7ck6DTZa/
YJ7jXqpmUdGSnzRPgnb2yXgOdvea67dxtt9vm9RsHcFyuqEOrw3wOeFChjxM2wy2
pRetQsa0pVVl3/cFdaHz
=HceA
-----END PGP SIGNATURE-----


Reply to: