Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3278 DSA-4766-1 rails security update 25 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rails Publisher: Debian Operating System: Debian GNU/Linux 10 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-15169 CVE-2020-8167 CVE-2020-8166 CVE-2020-8165 CVE-2020-8164 CVE-2020-8162 Reference: ESB-2020.2461 ESB-2020.2154 ESB-2020.1780 Original Bulletin: https://lists.debian.org/debian-security-announce/2020/msg00173.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4766-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 24, 2020 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : rails CVE ID : CVE-2020-8162 CVE-2020-8164 CVE-2020-8165 CVE-2020-8166 CVE-2020-8167 CVE-2020-15169 Multiple security issues were discovered in the Rails web framework which could result in cross-site scripting, information leaks, code execution, cross-site request forgery or bypass of upload limits. For the stable distribution (buster), these problems have been fixed in version 2:5.2.2.1+dfsg-1+deb10u2. We recommend that you upgrade your rails packages. For the detailed security status of rails please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rails Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9tBf4ACgkQEMKTtsN8 TjZXXg/8CcpEBuLjJL5JlMmsUylyIP6VaLwRnv6K7JKG1IHSOp5iNtcFHSlhMYnz G08fcxOy5xqIC8pDthxwuGaTXqJ/GE6gphE33azPt18qkYWycVOHK+r6htr1t4ab oPNx6PFmkwk6ewp9voq/f6tX/f7sq10jnzr7orFSIJkP8LI3PUtm05HfAvbpX0+n HYZbyg/7v2iXreYToIZdOFOQiT6L8OUW/Baw00nAqyKVToNoUhfhyKJ9Ian2wjAO YLSVy51uvIjrHOu1YHTdhcBeIk1wFWS2BcIYwyaSD9wdwrdM5+qPkhpbrL10zsCN WKMARD84nQuoonbl/jI8rHn8iUq+YZuSl6PtCVyNO3hh1YdjJmJvP30zOpBDknJG 8DMJfSWDiGhikkocvhb4M2uXFgrRfYfSnwvkv0y7bLUCYSaLKAL0efmluTk2qaQh iQKfxDj+Szd7gSgD/LCy5TRmU3HiUkV282INsmQQ/eya275YTps05Em+6hIPPfLj weUu4mAGPxmijJ+262qCmeqfQ3RENvd7DsrnNuMhhM0tRmX0iLHeS56E+dlv54Tc 0xAHLnIqYOuptk0j+ZYCdREGrAVGfeBBvNONzsCJNXnephZL6MYfBnLBZP/0nYZ4 2fssxhj71Vj88IdTx13/P3V0FmesCp01xdSYLHtZmVrVLbXX+6Y= =gtTz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX20xveNLKJtyKPYoAQir4xAAjrlMyRDLIINIX99I0FjRoA9RiDXd8MQM vJZMs/xD10CgsU1ohO3+7eYycLAiUsTrh/mvC6DkUrX3tIH0F39vxIhvLZ2FmkxS gZjQel6ROVJV7OOFt144VektMT7FILtQoc4cbmFJTMDmA+DNvY1+QyD7uoMkDLzh uKAju3jGe85OrepcONc7mwybGkEkufVUSnWW4Mi83FcMmHy8l6BPQ/vxZt8ZU+Yf +UQ3HxGA1ZGWseEHeD2CiavuOJOnns3t4aIeu1ZS+C9WmAqDX2MSb/x53CFQTn2F uLO9W9t/Qudn8MiACkOtrNnmGpbh7hfYC6Ixj7dIV4kMk+ivnDDwMmuryYJ78Xmr 0BmQyVd8rRDY+6mHtpJF/qfpoNAd2OQ1qHEZLZeE+msqkwTFWWvAhITmbbV0G2rz HBs20Mx3uhr6qLJ++Lg6T4JDSQWseeEoCXEXKFfkCxVF/eO/z+6AkrClI4wfZiKA nMleZFCnlRMD2rLO/abinLNd+vV0P7MvWTqaQsKlRSzSBHf+fRjA/oLzmYkzXZ0R W65ydmAShPRmTn8oK+LZERfljyYRxm51/FY4jZTNrm460Sao137lAWDULFrdCsa2 6S53bXuWG883f9Xq6kKVaRtQZP45kG3PSECWcRYMT/7Tr/Si8ydXMk6yVjeeGL5r 7wIjA/KqrvA= =XdCr -----END PGP SIGNATURE-----