Debian Security Advisory
DLA-2251-1 rails -- LTS security update
- Date Reported:
- 19 Jun 2020
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2020-8164, CVE-2020-8165.
- More information:
Two vulnerabilities were found in Ruby on Rails, a MVC ruby-based framework geared for web application development, which could lead to remote code execution and untrusted user input usage, depending on the application.
Strong parameters bypass vector in ActionPack. In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying
untrustedhash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.
Potentially unintended unmarshalling of user-provided objects in MemCacheStore. There is potentially unexpected behaviour in the MemCacheStore where, when untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum, this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
In addition to upgrading to the latest versions of Rails, developers should ensure that whenever they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both reading and writing.
For Debian 8
Jessie, these problems have been fixed in version 2:4.1.8-1+deb8u7.
We recommend that you upgrade your rails packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS