Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3738 Rails 4.2.11, 5.0.7.1, 5.1.6.1 and 5.2.1.1 have been released 3 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Rails Publisher: Rails project Operating System: Windows Mac OS Linux variants Impact/Access: Unauthorised Access -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2018-16477 CVE-2018-16476 Original Bulletin: https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/ - --------------------------BEGIN INCLUDED TEXT-------------------- Rails 4.2.11, 5.0.7.1, 5.1.6.1 and 5.2.1.1 have been released! Posted by rafaelfranca, November 27, 2018 @ 9:20 pm in Releases Hello everyone and happy Tuesday! Rails 4.2.11, 5.0.7.1, 5.1.6.1 and 5.2.1.1 have been released! These contain the following important security fixes, and it is recommended that users upgrade as soon as possible: * CVE-2018-16476 Broken Access Control vulnerability in Active Job RAils 5.2.1.1 also includes the following security fix: * CVE-2018-16477 Bypass vulnerability in Active Storage The released versions can be found in the usual locations, and you can find a list of changes on GitHub: * Changes in 4.2.11 * Changes in 5.0.7.1 * Changes in 5.1.6.1 * Changes in 5.2.1.1 We've done our best to minimize any impact to your applications, but if you run in to any issues, please file a ticket and we'll do our best to help! Again, as always, if you run in to any bugs, please file them on the Rails issue tracker which is located here. If you run in to security issues, please follow the reporting process which can be found here. SHA-256 If you'd like to verify that your gem is the same as the one I've uploaded, please use these SHA-256 hashes. $ shasum -a 256 *4.2.11.gem* 951c7ddd998b25f51ac01e3da5b552acb4341af325bb744b6d1b567fa0a6737e actionmailer-4.2.11.gem f97004512791f29220b08e0fb3394fa6235049d48a043f490552bee3078db38f actionpack-4.2.11.gem 8bb47c377295f91a685afb993d78d5a628b3afa04739047bd71af6fe3ac07c27 actionview-4.2.11.gem d35b4027c2a07f6637a480db50da7576dc11239c59cb66b805e253e284d0d88b activejob-4.2.11.gem b89604b0252e1b5eea47de4c5e3ff4b3d713c3c5ab3802c87a37b0e296da5885 activemodel-4.2.11.gem 258e61c64256c024d703d90d259dd183b526a10083eda518c94b2bcb52a880eb activerecord-4.2.11.gem c49aa608ef07ae6164211b4208292386947c58b925aeb3157a746f587911195f activesupport-4.2.11.gem dd12ffea8f548accec41ae1ef6add3cf9f1e00275744f92da60a713a0b0d1766 rails-4.2.11.gem 2186005ddf9e48fcbc98bb37c8bf127d0681826938cb053c896e03dde717a327 railties-4.2.11.gem $ shasum -a 256 *5.0.7.1.gem* 2befb790e89ca0573f2f25d7458aee45aff694a4a9b3ee2049ec7b13a8628390 actioncable-5.0.7.1.gem 1556a928f279ede0a98b41f5bd44b641d5a966acf50e93916619048a9e2fef1c actionmailer-5.0.7.1.gem 3cd3bd78fd02ab186da87b8c331dda4dc74904a5aa40b2d834347c65037fc3fe actionpack-5.0.7.1.gem 41258b51f5ac18bc55e77442eb93bde161781fbff7c45d913a0bfb45530e7f14 actionview-5.0.7.1.gem 9b1e8f49b09d3aa28c0c7ad3eae0bf7deecbc03c557d49fd4c49159ff0d53971 activejob-5.0.7.1.gem 0ce4d73d02392f835b11c138dc61af36388663fc9636313d055d90621f4500c5 activemodel-5.0.7.1.gem 8c1cd39637c8810d8fac7948a9dacf06075e6007b39400d48f34abb4db3e6ae3 activerecord-5.0.7.1.gem eba9b4423a433535f7ddf320a0d1590695a24b69b9525bea5f32fe3d2babb609 activesupport-5.0.7.1.gem 3ce11ed1acf1eea4b4b35b4516251e81a5cbbd889227432b232409cb9c658a2e rails-5.0.7.1.gem d92aaa635282faad3feb3aab75ea34587f05f142dc65e02044b253e56414d0b1 railties-5.0.7.1.gem $ shasum -a 256 *5.1.6.1.gem* 3f011a9732531f6e00f213910a66b5d1ec5f9c8cd0b208c32ed9a014008e517f actioncable-5.1.6.1.gem e89c2f24e1fb82b16927c9c7140a09d405e54d35ebb964c4a199843683559d29 actionmailer-5.1.6.1.gem 3e3875f18e1548e413f5a48d695e6e77646f5b687d9d4e149c75285c1ece26a7 actionpack-5.1.6.1.gem 5783dc24973b15cb33e48341b268c6b3ad2e5750f536d36eb9d489274846dc1c actionview-5.1.6.1.gem 8875a51226f5a4f75ba2be209c0b801bae602d1f9471db495b0a67f10e8158e7 activejob-5.1.6.1.gem 00ccdcd6003c11640e813d8511ad7362ad823e0db95637bf2239f1e1196489d8 activemodel-5.1.6.1.gem 4946ae8a770d9a58fecfa16791769dff6e837c8e8970a04b9c2854d584580947 activerecord-5.1.6.1.gem fa78e56360106d5e508818a4f0b5d234ea1f2183c755134b6276aba1101c3831 activesupport-5.1.6.1.gem f64f110ff439f10616e87e35dee23aeb0932e77869c64b3e2239b1332db5c863 rails-5.1.6.1.gem ac32ff49acd522522bbb87cc69d37a448e6e856b72bccee098c80a0d565d2640 railties-5.1.6.1.gem $ shasum -a 256 *5.2.1.1.gem* 8dc3251fb9dc898a693243d0f5488ef5bbfaefc92c2fd744db4554b0b739ce9c actioncable-5.2.1.1.gem f932baa262e1309ee0a4b5784e63a91cc9808a68fa3475f4469718c80d6a9d5f actionmailer-5.2.1.1.gem 731c5a5b31811d530623f4bf35aade7a9bc7b76da72a006a4eedd2359efb62b3 actionpack-5.2.1.1.gem 9c449f59f03890dceb8bb05f53c2b6b331a37180258a605e27e48982114feebb actionview-5.2.1.1.gem b9bbb83cc41e2bff53f6cc1f5a57c6edcefca0e63084621bcad43c6aca37edfc activejob-5.2.1.1.gem c2627b30d7be62d3849943e86e1df34d2275f75e4f478b550ce77d84c3f61a96 activemodel-5.2.1.1.gem 46b27c575c9e2c6810c2b9223f0034b54e9d061c2b8c72f3dd4226947debee58 activerecord-5.2.1.1.gem 451b837320e6c2da51974d1b844d120718c726b5e13e905b0ba83e2759991c92 activestorage-5.2.1.1.gem 6e055f81d0ec158475faed1bb4e00c8030b67ecc2b7aee83be24c995a5d1a1dc activesupport-5.2.1.1.gem b5e1fe216d108d6908e23aaaed563dcf8fae7ec92c4ea776607732785bad8f10 rails-5.2.1.1.gem 1030556e9bb07d192429659cbe5561339bbe845f9d78194a34bbc040653c7685 railties-5.2.1.1.gem - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXASBhmaOgq3Tt24GAQhTcg//d489M6w4It70YcYfY11xKAcg1Whzi4K0 GXs+BuVj43+BAcpDO+uegl046A3icW1r+yKdAAfIc1q3kAiBGctOuPs2d8ww5dup 6y6VAsG2lEp+5MoI5XX0Fr6+e/zhQQDIC+YVprjRLXySZrDiNfcUA1XmtghSP+Ei XGDtExeI+KHn+9FtK8vgp28rN+6sia4tSC04pAQHMgKwCWqUWSc9lg79X4j4sCPi XLVr6BVDtHLGeIY+4KGTv1UBY5sHKtzx5N8DCqKauswqNIkB1MLj7pRQeFSP7mxC l4+ZKgB8fUqhWgEtdBVD58fivwV6YepQM/mDD8m5GCf2AHGdjEYAO3v6NdGtWoHa CJdj3qchKwvZQafvEEGAbhknz0mysY/UpvIL7VXM2u4vhko1rSwNHCL2KVtQuZ7Y jYT3Wf9TxsvqQjFpDS6CI2tyQIQYc38YbBCIlobYbeBprv84we5RyJWuUzcOaOGW KkU315+/CHkxVo81dzgflu0BSmvJXy8/Ncok3i6gv+nVDDew2iLgV3oHy699FYQ3 K5PgqXoL53hpHaAVrl/azPZh6zUUNAKRWb6042W8O/QjxXvhESkaj0nRA9/gxS1Y 7MfpdP4duiEFdzqXfJlEh1DHBLnAR7Q8bM3mQt4neQTc35rIq4fCImqEvHlybKKU 0677NGLfkLY= =53el -----END PGP SIGNATURE-----