Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2359
ruby-rack security update
13 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ruby-rack
Publisher: Debian
Operating System: Debian GNU/Linux 9
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-8184 CVE-2020-8161
Reference: ESB-2020.1836
Original Bulletin:
https://www.debian.org/lts/security/2020/dla-2275
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2275-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 10, 2020 https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------
Package : ruby-rack
Version : 1.6.4-4+deb9u2
CVE ID : CVE-2020-8161 CVE-2020-8184
Debian Bug : 963477
The following CVEs were reported against src:ruby-rack.
CVE-2020-8161
A directory traversal vulnerability exists in rack < 2.2.0 that
allows an attacker perform directory traversal vulnerability in
the Rack::Directory app that is bundled with Rack which could
result in information disclosure.
CVE-2020-8184
A reliance on cookies without validation/integrity check security
vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it
is possible for an attacker to forge a secure or host-only cookie
prefix.
For Debian 9 stretch, these problems have been fixed in version
1.6.4-4+deb9u2.
We recommend that you upgrade your ruby-rack packages.
For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl8Ix/wACgkQgj6WdgbD
S5aT2xAA1MdxuJAX1aEg4egnpTib4yLVbU6rvGhy3SSpHkkhDfIyKiz+bZ/lWv+R
uKNE9scEoH1kl7ZatH/jgtDo4jAWG2fRr3/YeumqS/Mfd3X+W8wk7hv4V+nnCbUp
EjOV6sUjUeC5onJB7+hZBwsSwl4Vju+QCJHecpL2fYBG6oRuw5CLjpdDviqf343R
41H8tKi+t2U/FCSDMjig6vKm/3C0aFwcFERDc3rw3ggpHFG1Ix6UrS7/We3wqiz1
obPPh4s52t6HAiX2eQ+pEI0abgBUTYk/qHz9EHsUfvLlO+x0D+XSzGF2qJVN1vN5
XwnxiPA2+1lz37vddKFqYurL30so/VA8E3JJpcUE1oeJOK1OcgQcWNSKJ2ztchxW
JAoOjG+oGtIYxQMHfBjmXfFmyOBHFCNMlD9WG4Sbg3j8WBL+5QD8PW6BD0iqZ1Ju
zvGya0EEOYbf2yR6oWzHMExR2pMnXrJ/0kJiQrJbIxQTi6W48opf6tfP/o/O0b52
6InnuvLihnYje80xQcSZIeYu3PE0rN6W8fyXcL7z47stD5Xbl7ffsP1jwWUTOOeE
KqI3SUMuj1qsQA7lkcfMoywXKP+FGd3Wk51bNcIlofiG/kCTh6LUCCHgRTKkSzDt
wZDfKpvKmML4EzfNI/YYdEXCqqO978o6ZvlblO9x4TRHnS9iT+M=
=KgBu
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXwvA7+NLKJtyKPYoAQhUkRAAj6qRgjfKmFmebuT6Xl1fn5SZ8qVjp7AY
ZKPsTCrSNYM6u0HZ1JPsAv7fRzX+VHaywJz62AZGSRSqwAFaGP6iI1psIhej+qx6
0Tyx0NeXz9sVMS+YdXOFduXlWeWiZJlLNxbiJBAwyv7nQJbs7hhuT5F1+XlT/Dva
isrqR0wjV8CwwVHs3Ws3fbBQXj0hXfC7xM6pAu3jJ96Qz90ZZ+4V5fsW/rb+bvz8
+OMFaiO6g4Ljg3XcPu8VesEseVDwEAsx2u0InqzbABC6tq4ZThNnx9nQuBUnSiu0
vAJmiH17z5I5TnskGtpK4jo8wK1s0/DMdMIDBlJpkCp0EPRNfsRiIHFtmgzDsHX9
CAA3qjmtbhq4B0XMAsgajDMrr9pcyCvPPVCzNrnbOinFb2YtX4gqw4r8FxDfVRFG
pSOg0BJQttWBBzkXhEBzbR1POBTOrLM1zTKhR3eGi+k3jI9F7dSBo43mlIsU8o5A
uEFEk3H1nGSqfSsPskte2/fU90Wdj+jX1zd9i7Q5uSkAVFK41cQmsVAFrmifnye9
qziR8lbM4IWL6OT8lIsF95HuNUnDE68wG6+b45uJh6vmPqO/G8Z4G2V76x/LXznF
adeF52oRG9dvOj5WK+aSnJWzOljctGIiqhFWWqc5jZFm1/B4RD9z/0aeje0U0oaw
BOymWo4oy3Y=
=zfIK
-----END PGP SIGNATURE-----