Debian Security Advisory
DSA-4242-1 ruby-sprockets -- security update
- Date Reported:
- 09 Jul 2018
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 901913.
In Mitre's CVE dictionary: CVE-2018-3760.
- More information:
Orange Tsai discovered a path traversal flaw in ruby-sprockets, a Rack-based asset packaging system. A remote attacker can take advantage of this flaw to read arbitrary files outside an application's root directory via specially crafted requests, when the Sprockets server is used in production.
For the stable distribution (stretch), this problem has been fixed in version 3.7.0-1+deb9u1.
We recommend that you upgrade your ruby-sprockets packages.
For the detailed security status of ruby-sprockets please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-sprockets