[SECURITY] [DLA 3360-1] ruby-sidekiq security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3360-1] ruby-sidekiq security update
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Mon, 13 Mar 2023 02:19:29 +0530
Message-id: <[🔎] CAPP0f97wU4yd=ST3hvVo+j+Hiaz-g9CK47kfSgQ3SRDg3ptBkg@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-3360-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
March 13, 2023                              https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : ruby-sidekiq
Version        : 5.2.3+dfsg-1+deb10u1
CVE ID         : CVE-2021-30151 CVE-2022-23837
Debian Bug     : 987354 1004193

ruby-sidekiq, a simple, efficient background processing for Ruby,
had a couple of vulnerabilities as follows:

CVE-2021-30151

    Sidekiq allows XSS via the queue name of the live-poll feature
    when Internet Explorer is used.

CVE-2022-23837

    In api.rb in Sidekiq, there is no limit on the number of days
    when requesting stats for the graph. This overloads the system,
    affecting the Web UI, and makes it unavailable to users.

For Debian 10 buster, these problems have been fixed in version
5.2.3+dfsg-1+deb10u1.

We recommend that you upgrade your ruby-sidekiq packages.

For the detailed security status of ruby-sidekiq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-sidekiq

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmQOOqYACgkQgj6WdgbD
S5Yr8w//Z87HE6O4gcYRtyhSwYWoMee65ayAsNzS6kuB3pfrsx0QEjKpuVq9DrNx
dgQVFyh8agaA6C1ygyg6egbiGR1rpQpHM5R16gAcBLYYBfPVsTZUj2n9LCltVhiy
K0YelFDD8/RWwzfmrga0RSBTZZ4br8jkAwAXnpOe07CS1X0oUguM0MzyNCYyX1ux
QjDM7Zcalym800afk8T7mbUkqachrAH/gJ37zdMe3PgPM+9Zq4LccGd/ySrr/ecD
HAXSuFbsu6mALSZLo/w7I9kjt8STl2r9wDZpr/M2lKOpDQnzqePOJZnwGzPqm0tv
o6wwA85sXd5dDCQ+bs9fIT8LLZj4RS3JXzva85XIAar0iA1KYFuYqz4Eu69j/lx1
mtemPpkGq/B1KJ0JKthVC6fQHu+a7IXfZsFXVrj3rqqLunj0CqSl6ghANsnE83TK
xD5cXqcUdheJQWjVTSy7w3F3CgdwQY1I3//2UtZSlEdDbSYZLoxoCJiCccVFxxTe
NGi5E/EA+D6uhDWBaNZDZuZ0f7M79aGoltbOYxWKTrYoTwCll/twFhft0VxjJOAF
gqTBuRGHEvf3j971Htbd/WuydjOefKfInnT7T5OweOWdBloLQw5eYDutSRaAF0w7
lVgTuPDcN8goHeGoDrUX1dFJol0URQaoQMTdav83JBFC5GL765o=
=+u4V
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3359-1] libapache2-mod-auth-mellon security update
Next by Date: [SECURITY] [DLA 3361-1] redis security update
Previous by thread: [SECURITY] [DLA 3359-1] libapache2-mod-auth-mellon security update
Next by thread: [SECURITY] [DLA 3361-1] redis security update
Index(es):
- Date
- Thread