Debian Security Advisory
DLA-1739-1 rails -- LTS security update
- Date Reported:
- 31 Mar 2019
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 924520.
In Mitre's CVE dictionary: CVE-2019-5418, CVE-2019-5419.
- More information:
John Hawthorn of Github discovered a file content disclosure vulnerability in Rails, a ruby based web application framework. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.
This vulnerability could also be exploited for a denial-of-service attack.
For Debian 8
Jessie, these problems have been fixed in version 2:4.1.8-1+deb8u5.
We recommend that you upgrade your rails packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS