Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0444 ruby-rack-cors security update 7 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ruby-rack-cors Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-18978 Reference: ESB-2020.0376 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2096 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : ruby-rack-cors Version : 0.2.9-1+deb8u1 CVE ID : CVE-2019-18978 This package allowed ../ directory traversal to access private resources because resource matching did not ensure that pathnames were in a canonical format. For Debian 8 "Jessie", this problem has been fixed in version 0.2.9-1+deb8u1. We recommend that you upgrade your ruby-rack-cors packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl47tdIACgkQKpJZkldk SvrsJg/8CYbJp+/ZhDWCFJbiEvkv3gJqgTVsAQCGn1GBtdbmdr4DvN9aa+QdCkJM 0D9kGvTGeuwHs6Porc4C7oS1g9w5sD9nhnBcQ8xZ92m4Ja0uEeX5JS9wBPQYfyVY c5//vOvc2S/fLzFN0YD3kyC51/zhoeBqyVPXgkHWrpYNcpMC4K4RWWUlcfDWno/X djvkGF7a/DHR+5+kGlWfXc3pYZeEBO/swyXlYH66iBU5K/ah+yPlBFcf/xEHP2VB vy1bJ57hv/KAQjtj57bA/RMQbWvbEozvHV87Ebfr54P2OtbHGMJYpYG70hki/eIX nmhWMS3DW+mdUiXeSkWPEuAGr8qaQ+/PN5xhlfPjpz1qpcuECGDX8FPM+om0KyJh CR/YeQzwf8CGWhmAE+aXQ2SSpBU3JxN1P8vKWEbuTCR1W8SduOQZB/v1O+q03+O9 ez2Zz2u0/0mfkL2/kvheSjO4p7SpbUpPaN5nFvFKrfaRRQNIc0z6MV4qvIAAsoPw xzu6XWiKLCuH5JNx3H34KMPK3Qxvq7D+q7bJ5KE5iW64eG8pM8viCVfJJ5fHTgJS SSjmmPBruWbOfI4riWxM/UyBudsuUr4fx0xTkWDt5jjCxtAQyt8PlMt7mzhwzwnu 94oJQJc4fM7utykQXqXVpx3zGo1ydvrrOpLlgbCMXvxt4OKs7Kw= =Z7J3 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXjywUWaOgq3Tt24GAQg1ZxAA13XQfXw4OiyLsnZFLGaWRkF5XMyJBSpD 7uXL9SKyXqAcmCy0HGz5YnXwYopGLKuTP/nPWnkRhiZlYWNlvEjmYN6klN8QrI01 jzVOgs6ZMP/4gvKDxgLd9+hWE8zmq6T/67YE6C7twKztQ5eYxObPLFYyU5kVwruH CUyqrxwl1ZL3yeKpwc1oi9Pm6G/v6fErib7/H7xqIPPjwHAw9zWMrYPJgldbCRA6 W/mzBFeqbjbHDByyUUN4hak0AGWazW1f2uB2vqrTHXS72Kkwr8uy63q0bGCUypqC wmON2np6efADKpxhLk0gaZrlGcHGazr9si4WhON9lO9xwVz6umkmHF2Spokio7M7 p+aCqt73CJTZSV6LV9r/qlMovaCmSoVENnz5EF7Qh6geq7hmEVvGvR8T+FXBBrJV NSkEYsW+Hq4lI/ePQuargrWsrdhf8wPkKjudbirryQeOwlqsXJUF9GBRjXNeJNQM yvrttR1LGrRytvXzBn/ZO0u/bC8/1Pixkrt/sNP8vTZTwA89J6lgwaX0c5dLPx9N 099zsVeX475yE5NmGOkTi94y2KGC0kGmdzlkTRT/mNhIxtJmZ8KGRMBhuSc9/SWW jbGvAldJOy6HA0B27xS0rBK57WDhxoghG2I3uPHyiJj+x3Mc2Uolcbg3JUjshSFW dyEXuuAA4YM= =0ezd -----END PGP SIGNATURE-----