-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3428
                      ruby-rack-cors security update
                              2 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ruby-rack-cors
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Reduced Security    -- Remote/Unauthenticated
                   Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-18978  

Reference:         ESB-2020.0444

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2389

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2389-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
October 01, 2020                            https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------

Package        : ruby-rack-cors
Version        : 0.4.0-1+deb9u2
CVE ID         : CVE-2019-18978
Debian Bug     : 944849

This package allowed ../ directory traversal to access private
resources because resource matching did not ensure that
pathnames were in a canonical format.

For Debian 9 stretch, this problem has been fixed in version
0.4.0-1+deb9u2.

We recommend that you upgrade your ruby-rack-cors packages.

For the detailed security status of ruby-rack-cors please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack-cors

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl91yNkACgkQgj6WdgbD
S5YjpA//SG8OZ3YwH0G1rWF94AhYmAvF7zyh3b0GOH+QJVIzL4VaMrEPVfxJizDu
XjyY7pv1a7gmV5yuo8VBD5VartNRtqyaS2/M4/HjSWtKEGlNkCcWKgJ/R15X934y
/GO88t76fDiibk/FlUGfWSHM/X/zen/0fB4kDnTIN6oM87vXpTIkapdheCEGabKv
TEut0suGIXpoEbLQ/B8R3l9lbq0h0rwq3O2JvuFbhIDxrCQ8uidGXkHm3ZpHE3b3
j84dXRBWivS/8QXjRe01Mgk2WuAh+h78RClWR3z6+TVTOtYriXeA8CV3ck6eVfIT
tqINLmn86ov3nXE6YovWT1BLDG0KNQ+WRk2D41iQehKOuZBw2HgDzGuiOqPUqfiU
XQkUDSeZ4ZBP37QWg1eGd6JJlTdQRp0qVKF3AfTnWRYiBI0ZzDoJkq8BiNmIHjIg
dNO0bN2C0wm4ORgIvVt6L60foTYCn2KqgBeDWmWA7ErZqauARW/SK182usDZTHrb
gUVKogEVr1WsTQd4Af4YvK2CSlsZqsqU3KAzaAFI2K/jBtW/M7vyfWfnVF/2av4J
CjOYi7nUif/oCOkQ4kPW6k6H1QhrzDgeE55s2p1LkDqlbHvGKiPM5OQtDwAyuAyR
qAn3NM2ZQW6spEP4P6xegY6nYxoPByhAaNUim99hHvsdLeRrLgA=
=zohz
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3Zn/+NLKJtyKPYoAQg1wg//Qd1/jFuV3TjWhQN8o8wqgdwFYb6wcB4A
UI/iH3fphkFtAXAx1q//hsIf9FStysWVXyIe70GDUqzcxduHB3AJqYkYsM69OSyk
PfAPUrvDqTQuCTT9ihLImyKAPmQFF/qxg1iQD73wcUdMFmEATJaAAv2Sa22l0NCJ
j45HH1vTN4BU5e+rNpMonQZFFEP6AHXldby97ean81jY2wAmnprIQuqS3cdgOQ/y
xWq1FnnfcNyDjXMThmmTEHBtLstj5E8AyswNUdFwRbOYgeQYgdMX1UYdLJBcNYA3
bIy5o/5o99VvHsmgheKxMgVokE1Dk3OZMakYJFOOaVwuIEOtCGp0kBQKmdgrfD2r
i3Z/bW40lLi0V3UgYBdnRJkJTmy4ocpXmMu/FTbO5ER9tM//yw0wnSo9T/OhrG24
CUiiv2r+eZN8SWyTMCYtc1hTUsmeC6cSU/24BEYdA0T9ZuSZ/Ztb8F8fUwS57Mvu
YombQGsestj4bkBgmgFJ7ECb2umkuEGTR+iQ7k/Wy2BMcEG7Y8HwAtOnw+9WL9CL
fCIIWFcPoI6XG7ORpt8s1tqHUifsBjhiJP1XHMcqOX0DwXp/hEmGYNEtVZSCH09L
T3s/wUqGAU+GGyAH6S0QJlzhlp3ZomHLqiBYMw0uaE4lqarKpGuFWPrzb/kHBPDT
wmmGcd44Vbw=
=kYmo
-----END PGP SIGNATURE-----