ESB-2018.2039 - [Debian] ruby-sprockets: Read-only data access - Remote/unauthenticated 2018-07-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2039
                  ruby-sprockets update comes to Debian 8
                               13 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ruby-sprockets
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Read-only Data Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-3760  

Reference:         ESB-2018.1991

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/07/msg00010.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : ruby-sprockets
Version        : 2.12.3-1+deb8u1
CVE IDs        : CVE-2018-3760 
Debian Bug     : #901913

It was discovered that there was a discovered a path traversal flaw
in ruby-sprockets, a Rack-based asset packaging system. A remote
attacker could take advantage of this flaw to read arbitrary files
outside an application's root directory via "file://" requests.

For Debian 8 "Jessie", this issue has been fixed in ruby-sprockets version
2.12.3-1+deb8u1.

We recommend that you upgrade your ruby-sprockets packages.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAltHH8cACgkQHpU+J9Qx
HlgwoRAAsUimgKPa3g0/nHuYyX+T/J/qnmbtNTHb2fuOyTgR4UD7Ms3iY5DX8dR2
6Dtq1s7IHJmV6MOLkWo1l6hliLtIjJbM9KVaiRSgzQNeamM1Ph5NpLTrWFTYiMKj
iyouN6XbWzQQvgJm6riKTpl59R/NW/v6JfiLeDNeXToXA08mq/fyIARiaF+te3nw
chkGimjGjjcSsuYQmXU5TbVEdvIkTbDGSc95v644z7pLcz3cYxsoeg5Ar9ypHldd
wgf97xWhK8eawIyYRUzpMifkuNM2xa57wiwVdKjoRouBqNAnHrjUxEndiVGJAWWT
7wQbFfMPhNvApwpBbTchR4h6Ux+M3YM/+hEuDUF0v3QsUoORuxMVd4qLjD1nn41j
YMKUrLaju7rM/lYI5tJCoU7bAI24wzKE8sjqZvEYzmzUPNLnge+kRb7ap/XK5FUn
Ebtp4VFcw6YH/MYbxYpc1gQttdfFAW1sRIX2TzOAp95p5kY5w4ASfUnWLgth5vGr
FgNN5liP26kLREBuble746C0SKJkw5exOzmQbbeu/3KXGHNfvYTf4YQPGI44UoXu
HfmL0BInK1Mf8+bED7VE2DbS42ujqK9rq6ptRtzba1CC3pYA512nA8O2DAvEKb6p
9PRm9OG8ZEWZhVYrDSWuqYxij5mOD3k8uExWf1BreUP0TVpExwg=
=hBjz
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW0fs4WaOgq3Tt24GAQj/UA//YWtf1n4JVUo+wGa3iLW8Iuv3OoGFo/zs
kfneE7pmdKY/qBhTKamFLa3gX6DIc6al0ecs9sa5pXV85qkVGVu7Q/fgSkfRxRm5
CNs/usZbMzAiW4zA/StZjkltDaNQOXEDzr2vHMuxcp9PouPOO0OlF9g5xyAlU5Wh
EDYyJUSDHI4g49Fl4UB35ZtWjJkhmDsus/j8tf+PcK3e6jekIpUMNlyojXn5dz2A
V7QgqkauT/x+Xfa12jEjhdBhY99VRbNgohKh77BwOXNtXhRWT0FFSvBHEqlIC90m
anrwMxeMPn9oVGa07YMg3qRsNXhGT0VhMqa72P3IJ5u2pYZJqbBquA8e8sfUUpnp
jnNlZM1BDsOTEk7myhrsLRDkjScE7LxVzSqY6Q5JGNS6TLMm4+Cd4noamiczE95w
knmm0meSt7pPPDyh9Fgkk56deDYDT5auNLwGQlBo/5PLnX4AYJCwEJmUzKgu4o1N
PbjTAHAnMV5tjLv2QjNQCHdgvQgEb2rZQn2AT+A7bZlKRtv3TDW0YjojtYxm4g9K
EkMb3z2Pc0+jTn2x/NzjT33Tm9wjOa3px7YiuItrGJH+2TVQ31ntVEVBE0kAcL/C
S6uRjdL7pH8nm65Qr+PJ0qPTUMuJtnwQIdfJ7/5lBDfwbKn4/yEp3uAH0HHSWdWe
oMDK12yL7v4=
=DrZr
-----END PGP SIGNATURE-----

« Back to bulletins