[SECURITY] [DLA 2655-1] rails security update

2021-05-1120:52:09

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

60.2%

JSON

Debian LTS Advisory DLA-2655-1 [email protected]
https://www.debian.org/lts/security/ Utkarsh Gupta
May 12, 2021 https://wiki.debian.org/LTS

Package : rails
Version : 2:4.2.7.1-1+deb9u5
CVE ID : CVE-2021-22885 CVE-2021-22904
Debian Bug : 988214

CVE-2021-22885

There is a possible information disclosure/unintended method
execution vulnerability in Action Pack when using the
`redirect_to` or `polymorphic_url` helper with untrusted user
input.

CVE-2021-22904

There is a possible DoS vulnerability in the Token Authentication
logic in Action Controller. Impacted code uses
`authenticate_or_request_with_http_token` or
`authenticate_with_http_token` for request authentication.

For Debian 9 stretch, these problems have been fixed in version
2:4.2.7.1-1+deb9u5.

We recommend that you upgrade your rails packages.

For the detailed security status of rails please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rails

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10allruby-actionmailer< 2:5.2.2.1+dfsg-1+deb10u3ruby-actionmailer_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian10allruby-activesupport< 2:5.2.2.1+dfsg-1+deb10u3ruby-activesupport_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian9allruby-actionmailer< 2:4.2.7.1-1+deb9u5ruby-actionmailer_2:4.2.7.1-1+deb9u5_all.deb
Debian9allruby-railties< 2:4.2.7.1-1+deb9u5ruby-railties_2:4.2.7.1-1+deb9u5_all.deb
Debian9allruby-activejob< 2:4.2.7.1-1+deb9u5ruby-activejob_2:4.2.7.1-1+deb9u5_all.deb
Debian10allruby-activejob< 2:5.2.2.1+dfsg-1+deb10u3ruby-activejob_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian10allruby-activestorage< 2:5.2.2.1+dfsg-1+deb10u3ruby-activestorage_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian9allruby-activesupport< 2:4.2.7.1-1+deb9u5ruby-activesupport_2:4.2.7.1-1+deb9u5_all.deb
Debian10allruby-activemodel< 2:5.2.2.1+dfsg-1+deb10u3ruby-activemodel_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian10allruby-actionview< 2:5.2.2.1+dfsg-1+deb10u3ruby-actionview_2:5.2.2.1+dfsg-1+deb10u3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	all	ruby-actionmailer	< 2:5.2.2.1+dfsg-1+deb10u3	ruby-actionmailer_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian	10	all	ruby-activesupport	< 2:5.2.2.1+dfsg-1+deb10u3	ruby-activesupport_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian	9	all	ruby-actionmailer	< 2:4.2.7.1-1+deb9u5	ruby-actionmailer_2:4.2.7.1-1+deb9u5_all.deb
Debian	9	all	ruby-railties	< 2:4.2.7.1-1+deb9u5	ruby-railties_2:4.2.7.1-1+deb9u5_all.deb
Debian	9	all	ruby-activejob	< 2:4.2.7.1-1+deb9u5	ruby-activejob_2:4.2.7.1-1+deb9u5_all.deb
Debian	10	all	ruby-activejob	< 2:5.2.2.1+dfsg-1+deb10u3	ruby-activejob_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian	10	all	ruby-activestorage	< 2:5.2.2.1+dfsg-1+deb10u3	ruby-activestorage_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian	9	all	ruby-activesupport	< 2:4.2.7.1-1+deb9u5	ruby-activesupport_2:4.2.7.1-1+deb9u5_all.deb
Debian	10	all	ruby-activemodel	< 2:5.2.2.1+dfsg-1+deb10u3	ruby-activemodel_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian	10	all	ruby-actionview	< 2:5.2.2.1+dfsg-1+deb10u3	ruby-actionview_2:5.2.2.1+dfsg-1+deb10u3_all.deb