Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2359 ruby-rack security update 13 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ruby-rack Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-8184 CVE-2020-8161 Reference: ESB-2020.1836 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2275 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2275-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta July 10, 2020 https://wiki.debian.org/LTS - - ----------------------------------------------------------------------- Package : ruby-rack Version : 1.6.4-4+deb9u2 CVE ID : CVE-2020-8161 CVE-2020-8184 Debian Bug : 963477 The following CVEs were reported against src:ruby-rack. CVE-2020-8161 A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure. CVE-2020-8184 A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. For Debian 9 stretch, these problems have been fixed in version 1.6.4-4+deb9u2. We recommend that you upgrade your ruby-rack packages. For the detailed security status of ruby-rack please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-rack Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl8Ix/wACgkQgj6WdgbD S5aT2xAA1MdxuJAX1aEg4egnpTib4yLVbU6rvGhy3SSpHkkhDfIyKiz+bZ/lWv+R uKNE9scEoH1kl7ZatH/jgtDo4jAWG2fRr3/YeumqS/Mfd3X+W8wk7hv4V+nnCbUp EjOV6sUjUeC5onJB7+hZBwsSwl4Vju+QCJHecpL2fYBG6oRuw5CLjpdDviqf343R 41H8tKi+t2U/FCSDMjig6vKm/3C0aFwcFERDc3rw3ggpHFG1Ix6UrS7/We3wqiz1 obPPh4s52t6HAiX2eQ+pEI0abgBUTYk/qHz9EHsUfvLlO+x0D+XSzGF2qJVN1vN5 XwnxiPA2+1lz37vddKFqYurL30so/VA8E3JJpcUE1oeJOK1OcgQcWNSKJ2ztchxW JAoOjG+oGtIYxQMHfBjmXfFmyOBHFCNMlD9WG4Sbg3j8WBL+5QD8PW6BD0iqZ1Ju zvGya0EEOYbf2yR6oWzHMExR2pMnXrJ/0kJiQrJbIxQTi6W48opf6tfP/o/O0b52 6InnuvLihnYje80xQcSZIeYu3PE0rN6W8fyXcL7z47stD5Xbl7ffsP1jwWUTOOeE KqI3SUMuj1qsQA7lkcfMoywXKP+FGd3Wk51bNcIlofiG/kCTh6LUCCHgRTKkSzDt wZDfKpvKmML4EzfNI/YYdEXCqqO978o6ZvlblO9x4TRHnS9iT+M= =KgBu - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXwvA7+NLKJtyKPYoAQhUkRAAj6qRgjfKmFmebuT6Xl1fn5SZ8qVjp7AY ZKPsTCrSNYM6u0HZ1JPsAv7fRzX+VHaywJz62AZGSRSqwAFaGP6iI1psIhej+qx6 0Tyx0NeXz9sVMS+YdXOFduXlWeWiZJlLNxbiJBAwyv7nQJbs7hhuT5F1+XlT/Dva isrqR0wjV8CwwVHs3Ws3fbBQXj0hXfC7xM6pAu3jJ96Qz90ZZ+4V5fsW/rb+bvz8 +OMFaiO6g4Ljg3XcPu8VesEseVDwEAsx2u0InqzbABC6tq4ZThNnx9nQuBUnSiu0 vAJmiH17z5I5TnskGtpK4jo8wK1s0/DMdMIDBlJpkCp0EPRNfsRiIHFtmgzDsHX9 CAA3qjmtbhq4B0XMAsgajDMrr9pcyCvPPVCzNrnbOinFb2YtX4gqw4r8FxDfVRFG pSOg0BJQttWBBzkXhEBzbR1POBTOrLM1zTKhR3eGi+k3jI9F7dSBo43mlIsU8o5A uEFEk3H1nGSqfSsPskte2/fU90Wdj+jX1zd9i7Q5uSkAVFK41cQmsVAFrmifnye9 qziR8lbM4IWL6OT8lIsF95HuNUnDE68wG6+b45uJh6vmPqO/G8Z4G2V76x/LXznF adeF52oRG9dvOj5WK+aSnJWzOljctGIiqhFWWqc5jZFm1/B4RD9z/0aeje0U0oaw BOymWo4oy3Y= =zfIK -----END PGP SIGNATURE-----