Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1739-1 rails

Debian Security Advisory

DLA-1739-1 rails -- LTS security update

Date Reported:

31 Mar 2019

Affected Packages:

rails

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 924520.
In Mitre's CVE dictionary: CVE-2019-5418, CVE-2019-5419.

More information:

John Hawthorn of Github discovered a file content disclosure vulnerability in Rails, a ruby based web application framework. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.

This vulnerability could also be exploited for a denial-of-service attack.

For Debian 8 Jessie, these problems have been fixed in version 2:4.1.8-1+deb8u5.

We recommend that you upgrade your rails packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS