[SECURITY] [DLA 2251-1] rails security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2251-1] rails security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 19 Jun 2020 19:14:46 +0200
Message-id: <[🔎] 20200619171446.cjqs2lqabdkahnhh@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : rails
Version        : 2:4.1.8-1+deb8u7
CVE ID         : CVE-2020-8164 CVE-2020-8165


Two vulnerabilities were found in Ruby on Rails, a MVC ruby-based
framework geared for web application development, which could lead to
remote code execution and untrusted user input usage, depending on the
application.

CVE-2020-8164

    Strong parameters bypass vector in ActionPack.  In some cases user
    supplied information can be inadvertently leaked from Strong
    Parameters.  Specifically the return value of `each`, or
    `each_value`, or `each_pair` will return the underlying
    "untrusted" hash of data that was read from the parameters.
    Applications that use this return value may be inadvertently use
    untrusted user input.

CVE-2020-8165

    Potentially unintended unmarshalling of user-provided objects in
    MemCacheStore.  There is potentially unexpected behaviour in the
    MemCacheStore where, when untrusted user input is written to the
    cache store using the `raw: true` parameter, re-reading the result
    from the cache can evaluate the user input as a Marshalled object
    instead of plain text.  Unmarshalling of untrusted user input can
    have impact up to and including RCE. At a minimum, this
    vulnerability allows an attacker to inject untrusted Ruby objects
    into a web application.

    In addition to upgrading to the latest versions of Rails,
    developers should ensure that whenever they are calling
    `Rails.cache.fetch` they are using consistent values of the `raw`
    parameter for both reading and writing.

For Debian 8 "Jessie", these problems have been fixed in version
2:4.1.8-1+deb8u7.

We recommend that you upgrade your rails packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl7s8VgACgkQj/HLbo2J
BZ9+mwf/eTm6thb+c3shNLZxrJpoucZ9mwAeDvZ6fGpToePHb3aNlwqUI5MuUjp8
4s0FxpD1fLcDhhTGZTJkqeThQ/4qoutzvZjbsK9bGRLBo71Zkru2DolEvf71KNZC
e0RDl/mfQHyhuDHePgnW8LV2MgG1/z+WKwabQ25mowV7lsoLIG8Z7F+wy7DkmeWN
RybrUrCZGs+3J5KmhnAWM/U8oaQBgOQcYHdKGieCJ3KlUp7+LsDZEMEmbU4Cggog
wGFovg3jsYTWDA3CNTW1ciK+Pw4x6XwWe+hyQzWZCt7j0ua1+o11GLVW1/cuHdpJ
kci12HV5BINkmtAbCtHdilLjOrLT5Q==
=f8HC
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2250-1] drupal7 security update
Next by Date: [SECURITY] [DLA 2252-1] ngircd security update
Previous by thread: [SECURITY] [DLA 2250-1] drupal7 security update
Next by thread: [SECURITY] [DLA 2252-1] ngircd security update
Index(es):
- Date
- Thread