[SECURITY] [DLA 2149-1] rails security update

2020-03-2000:10:53

lists.debian.org

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

42.3%

JSON

Package : rails
Version : 2:4.1.8-1+deb8u6
CVE ID : CVE-2020-5267
Debian Bug : 954304

In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a
possible XSS vulnerability in ActionView's JavaScript literal
escape helpers.
Views that use the j or escape_javascript methods may be
susceptible to XSS attacks.

For Debian 8 "Jessie", this problem has been fixed in version
2:4.1.8-1+deb8u6.

We recommend that you upgrade your rails packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Best,
Utkarsh

OSVersionArchitecturePackageVersionFilename
Debian8allruby-activesupport< 2:4.1.8-1+deb8u6ruby-activesupport_2:4.1.8-1+deb8u6_all.deb
Debian10allruby-activejob< 2:5.2.2.1+dfsg-1+deb10u1ruby-activejob_2:5.2.2.1+dfsg-1+deb10u1_all.deb
Debian10allruby-rails< 2:5.2.2.1+dfsg-1+deb10u1ruby-rails_2:5.2.2.1+dfsg-1+deb10u1_all.deb
Debian9allruby-actionmailer< 2:4.2.7.1-1+deb9u2ruby-actionmailer_2:4.2.7.1-1+deb9u2_all.deb
Debian9allruby-activemodel< 2:4.2.7.1-1+deb9u2ruby-activemodel_2:4.2.7.1-1+deb9u2_all.deb
Debian9allruby-railties< 2:4.2.7.1-1+deb9u2ruby-railties_2:4.2.7.1-1+deb9u2_all.deb
Debian8allruby-railties< 2:4.1.8-1+deb8u6ruby-railties_2:4.1.8-1+deb8u6_all.deb
Debian9allruby-actionview< 2:4.2.7.1-1+deb9u2ruby-actionview_2:4.2.7.1-1+deb9u2_all.deb
Debian8allrails< 2:4.1.8-1+deb8u6rails_2:4.1.8-1+deb8u6_all.deb
Debian8allruby-actionpack< 2:4.1.8-1+deb8u6ruby-actionpack_2:4.1.8-1+deb8u6_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	ruby-activesupport	< 2:4.1.8-1+deb8u6	ruby-activesupport_2:4.1.8-1+deb8u6_all.deb
Debian	10	all	ruby-activejob	< 2:5.2.2.1+dfsg-1+deb10u1	ruby-activejob_2:5.2.2.1+dfsg-1+deb10u1_all.deb
Debian	10	all	ruby-rails	< 2:5.2.2.1+dfsg-1+deb10u1	ruby-rails_2:5.2.2.1+dfsg-1+deb10u1_all.deb
Debian	9	all	ruby-actionmailer	< 2:4.2.7.1-1+deb9u2	ruby-actionmailer_2:4.2.7.1-1+deb9u2_all.deb
Debian	9	all	ruby-activemodel	< 2:4.2.7.1-1+deb9u2	ruby-activemodel_2:4.2.7.1-1+deb9u2_all.deb
Debian	9	all	ruby-railties	< 2:4.2.7.1-1+deb9u2	ruby-railties_2:4.2.7.1-1+deb9u2_all.deb
Debian	8	all	ruby-railties	< 2:4.1.8-1+deb8u6	ruby-railties_2:4.1.8-1+deb8u6_all.deb
Debian	9	all	ruby-actionview	< 2:4.2.7.1-1+deb9u2	ruby-actionview_2:4.2.7.1-1+deb9u2_all.deb
Debian	8	all	rails	< 2:4.1.8-1+deb8u6	rails_2:4.1.8-1+deb8u6_all.deb
Debian	8	all	ruby-actionpack	< 2:4.1.8-1+deb8u6	ruby-actionpack_2:4.1.8-1+deb8u6_all.deb