[SECURITY] [DSA 3464-1] rails security update

2016-01-3118:43:51

lists.debian.org

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.007 Low

EPSS

Percentile

79.7%

JSON

Debian Security Advisory DSA-3464-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
January 31, 2016 https://www.debian.org/security/faq

Package : rails
CVE ID : CVE-2015-3226 CVE-2015-3227 CVE-2015-7576 CVE-2015-7577
CVE-2015-7581 CVE-2016-0751 CVE-2016-0752 CVE-2016-0753

Multiple security issues have been discovered in the Rails on Rails web
application development framework, which may result in denial of service,
cross-site scripting, information disclosure or bypass of input
validation.

For the stable distribution (jessie), these problems have been fixed in
version 2:4.1.8-1+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 2:4.2.5.1-1.

We recommend that you upgrade your rails packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian8allruby-rails< 2:4.1.8-1+deb8u1ruby-rails_2:4.1.8-1+deb8u1_all.deb
Debian8allruby-actionmailer< 2:4.1.8-1+deb8u1ruby-actionmailer_2:4.1.8-1+deb8u1_all.deb
Debian8allruby-activemodel< 2:4.1.8-1+deb8u1ruby-activemodel_2:4.1.8-1+deb8u1_all.deb
Debian8allruby-activesupport< 2:4.1.8-1+deb8u1ruby-activesupport_2:4.1.8-1+deb8u1_all.deb
Debian8allruby-actionview< 2:4.1.8-1+deb8u1ruby-actionview_2:4.1.8-1+deb8u1_all.deb
Debian8allruby-activerecord< 2:4.1.8-1+deb8u1ruby-activerecord_2:4.1.8-1+deb8u1_all.deb
Debian8allruby-activesupport-2.3< 2:4.1.8-1+deb8u1ruby-activesupport-2.3_2:4.1.8-1+deb8u1_all.deb
Debian8allruby-actionpack< 2:4.1.8-1+deb8u1ruby-actionpack_2:4.1.8-1+deb8u1_all.deb
Debian7allruby-activerecord-3.2< 3.2.6-5+deb7u2ruby-activerecord-3.2_3.2.6-5+deb7u2_all.deb
Debian8allruby-railties< 2:4.1.8-1+deb8u1ruby-railties_2:4.1.8-1+deb8u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	ruby-rails	< 2:4.1.8-1+deb8u1	ruby-rails_2:4.1.8-1+deb8u1_all.deb
Debian	8	all	ruby-actionmailer	< 2:4.1.8-1+deb8u1	ruby-actionmailer_2:4.1.8-1+deb8u1_all.deb
Debian	8	all	ruby-activemodel	< 2:4.1.8-1+deb8u1	ruby-activemodel_2:4.1.8-1+deb8u1_all.deb
Debian	8	all	ruby-activesupport	< 2:4.1.8-1+deb8u1	ruby-activesupport_2:4.1.8-1+deb8u1_all.deb
Debian	8	all	ruby-actionview	< 2:4.1.8-1+deb8u1	ruby-actionview_2:4.1.8-1+deb8u1_all.deb
Debian	8	all	ruby-activerecord	< 2:4.1.8-1+deb8u1	ruby-activerecord_2:4.1.8-1+deb8u1_all.deb
Debian	8	all	ruby-activesupport-2.3	< 2:4.1.8-1+deb8u1	ruby-activesupport-2.3_2:4.1.8-1+deb8u1_all.deb
Debian	8	all	ruby-actionpack	< 2:4.1.8-1+deb8u1	ruby-actionpack_2:4.1.8-1+deb8u1_all.deb
Debian	7	all	ruby-activerecord-3.2	< 3.2.6-5+deb7u2	ruby-activerecord-3.2_3.2.6-5+deb7u2_all.deb
Debian	8	all	ruby-railties	< 2:4.1.8-1+deb8u1	ruby-railties_2:4.1.8-1+deb8u1_all.deb