logo
DATABASE RESOURCES PRICING ABOUT US

[SECURITY] [DLA 604-1] ruby-actionpack-3.2 security update

Description

Package : ruby-actionpack-3.2 Version : 3.2.6-6+deb7u3 CVE ID : CVE-2015-7576 CVE-2016-0751 CVE-2016-0752 CVE-2016-2097 CVE-2016-2098 CVE-2016-6316 Multiple vulnerabilities have been discovered in ruby-actionpack-3.2, a web-flow and rendering framework and part of Rails: CVE-2015-7576 A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack. CVE-2016-0751 A flaw was found in the way the Action Pack component performed MIME type lookups. Since queries were cached in a global cache of MIME types, an attacker could use this flaw to grow the cache indefinitely, potentially resulting in a denial of service. CVE-2016-0752 A directory traversal flaw was found in the way the Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to render unexpected files and, possibly, execute arbitrary code. CVE-2016-2097 Crafted requests to Action View might result in rendering files from arbitrary locations, including files beyond the application's view directory. This vulnerability is the result of an incomplete fix of CVE-2016-0752. This bug was found by Jyoti Singh and Tobias Kraze from Makandra. CVE-2016-2098 If a web applications does not properly sanitize user inputs, an attacker might control the arguments of the render method in a controller or a view, resulting in the possibility of executing arbitrary ruby code. This bug was found by Tobias Kraze from Makandra and joernchen of Phenoelit. CVE-2016-6316 Andrew Carpenter of Critical Juncture discovered a cross-site scripting vulnerability affecting Action View. Text declared as "HTML safe" will not have quotes escaped when used as attribute values in tag helpers. For Debian 7 "Wheezy", these problems have been fixed in version 3.2.6-6+deb7u3. We recommend that you upgrade your ruby-actionpack-3.2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS


Affected Package


OS OS Version Package Name Package Version
Debian 8 ruby-activesupport 4.1.8-1+deb8u1
Debian 8 ruby-activesupport-2.3 4.1.8-1+deb8u4
Debian 8 ruby-actionpack 4.1.8-1+deb8u4
Debian 8 ruby-activesupport-2.3 4.1.8-1+deb8u2
Debian 8 ruby-actionpack 4.1.8-1+deb8u1
Debian 8 ruby-activemodel 4.1.8-1+deb8u2
Debian 8 rails 4.1.8-1+deb8u2
Debian 8 ruby-rails 4.1.8-1+deb8u2
Debian 8 rails 2:4.1.8-1+deb8u1
Debian 8 ruby-actionpack 4.1.8-1+deb8u2
Debian 8 ruby-railties 4.1.8-1+deb8u1
Debian 8 ruby-actionview 4.1.8-1+deb8u4
Debian 8 ruby-activesupport 4.1.8-1+deb8u2
Debian 8 ruby-activesupport-2.3 4.1.8-1+deb8u1
Debian 8 ruby-railties 4.1.8-1+deb8u2
Debian 8 ruby-activemodel 4.1.8-1+deb8u4
Debian 8 ruby-actionmailer 4.1.8-1+deb8u4
Debian 8 ruby-activerecord 4.1.8-1+deb8u1
Debian 8 ruby-activesupport 4.1.8-1+deb8u4
Debian 8 ruby-activerecord 4.1.8-1+deb8u4
Debian 8 ruby-actionview 4.1.8-1+deb8u2
Debian 8 ruby-actionview 4.1.8-1+deb8u1
Debian 8 ruby-activerecord 4.1.8-1+deb8u2
Debian 8 ruby-activemodel 4.1.8-1+deb8u1
Debian 8 rails 4.1.8-1+deb8u4
Debian 8 rails 4.1.8-1+deb8u1
Debian 8 ruby-actionmailer 4.1.8-1+deb8u2
Debian 8 ruby-rails 4.1.8-1+deb8u1
Debian 7 ruby-actionpack-3.2 3.2.6-6+deb7u3
Debian 8 ruby-railties 4.1.8-1+deb8u4
Debian 8 rails 2:4.1.8-1+deb8u4
Debian 8 ruby-rails 4.1.8-1+deb8u4
Debian 8 ruby-actionmailer 4.1.8-1+deb8u1
Debian 8 rails 2:4.1.8-1+deb8u2

Related