Security Information / 2023 / Security Information -- DSA-5389-1 rails

Debian Security Advisory

DSA-5389-1 rails -- security update

Date Reported:

14 Apr 2023

Affected Packages:

rails

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 1033262, Bug 1033263.
In Mitre's CVE dictionary: CVE-2023-23913, CVE-2023-28120.

More information:

Two vulnerabilities were discovered in rails, the Ruby based server-side MVC web application framework, which could lead to XSS and DOM based cross-site scripting (CRS).

This update also fixes a regression introduced in previous update that may block certain access for applications using development environment.

For the stable distribution (bullseye), these problems have been fixed in version 2:6.0.3.7+dfsg-2+deb11u2.

We recommend that you upgrade your rails packages.

For the detailed security status of rails please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rails