[SECURITY] [DLA 1739-1] rails security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1739-1] rails security update
From: Markus Koschany <apo@debian.org>
Date: Sun, 31 Mar 2019 15:51:06 +0200
Message-id: <[🔎] 4333f071-1066-95dd-df64-b49bbe20a45c@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : rails
Version        : 2:4.1.8-1+deb8u5
CVE ID         : CVE-2019-5418 CVE-2019-5419
Debian Bug     : 924520

John Hawthorn of Github discovered a file content disclosure
vulnerability in Rails, a ruby based web application framework.
Specially crafted accept headers in combination with calls to `render
file:` can cause arbitrary files on the target server to be rendered,
disclosing the file contents.

This vulnerability could also be exploited for a denial-of-service
attack.

For Debian 8 "Jessie", these problems have been fixed in version
2:4.1.8-1+deb8u5.

We recommend that you upgrade your rails packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlygxcpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeR00g/+Nu/1PQI0LAcjuGZD2D6UvJ02cKv6vEJ8kyO3k7upjkGMlXsK+KnXKFrW
H4n1oljsKd0KEKF/5w5eTs299sj1jXBOR/Xtq1AxH1z/RQaULGLqFf0yPF5+aHrJ
0mACiLGPIqwbSymT1nz6Gemt6rXo9b6PUnCxqj2lu5k7t4t9Al1kRwArBr4tzwaW
c3tqAIER8HC/8AkdFFZipVBdIbgi0xDjlpfWbvD/sqdjKgM70JsxxTLOjXZlS03R
wWoRuO+KXosjRaCC/hxsYMb+jg31XULqfVCQnwdihPQuL/sGIsLU4uduG5XIgp2y
GOV3bVqaQNZPZKDGR4obtNUU6CCSntqjL8jS5H7XTjjrgoEOnlC5M3x6EVxtNO8t
6+Pn7acQ3KO40O2iXa5dRdOURaKAVPBg80W+ePEkgjYpBxBDYMDioMlacg7eXlIg
P2poEUFb9DLOrZJi9Qi24VnVuH/QJl7/K++t7Ed2IVLJEgvtLUnm4i4Y86n7kSn0
UKAIKvIwKMfdmyLuuUZzHDWbFXhYiERW7l0LQoqRcGvw14OsGdj+nUb18cIv3EYS
pW8kSGDw3CQbQa+rklxDUg4EvikwcJ0ixuYfYZXoQX5ey6LAK2CxjuqnBNsEOAAO
REu759u1S0m2i9vwg0SHGU9J9ShrMZSPPHFkHGvqM9ZMJp9VlRY=
=cKL4
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1740-1] libav security update
Next by Date: [SECURITY] [DLA 1741-1] php5 security update
Previous by thread: [SECURITY] [DLA 1740-1] libav security update
Next by thread: [SECURITY] [DLA 1741-1] php5 security update
Index(es):
- Date
- Thread