Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1419-1 ruby-sprockets

Debian Security Advisory

DLA-1419-1 ruby-sprockets -- LTS security update

Date Reported:

12 Jul 2018

Affected Packages:

ruby-sprockets

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-3760.

More information:

It was discovered that there was a discovered a path traversal flaw in ruby-sprockets, a Rack-based asset packaging system. A remote attacker could take advantage of this flaw to read arbitrary files outside an application's root directory via "file://" requests.

For Debian 8 Jessie, this issue has been fixed in ruby-sprockets version 2.12.3-1+deb8u1.

We recommend that you upgrade your ruby-sprockets packages.