Debian Security Advisory

DLA-1739-1 rails -- LTS security update

Date Reported:
31 Mar 2019
Affected Packages:
rails
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 924520.
In Mitre's CVE dictionary: CVE-2019-5418, CVE-2019-5419.
More information:

John Hawthorn of Github discovered a file content disclosure vulnerability in Rails, a ruby based web application framework. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.

This vulnerability could also be exploited for a denial-of-service attack.

For Debian 8 Jessie, these problems have been fixed in version 2:4.1.8-1+deb8u5.

We recommend that you upgrade your rails packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS