Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3428 ruby-rack-cors security update 2 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ruby-rack-cors Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Reduced Security -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-18978 Reference: ESB-2020.0444 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2389 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2389-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta October 01, 2020 https://wiki.debian.org/LTS - - ----------------------------------------------------------------------- Package : ruby-rack-cors Version : 0.4.0-1+deb9u2 CVE ID : CVE-2019-18978 Debian Bug : 944849 This package allowed ../ directory traversal to access private resources because resource matching did not ensure that pathnames were in a canonical format. For Debian 9 stretch, this problem has been fixed in version 0.4.0-1+deb9u2. We recommend that you upgrade your ruby-rack-cors packages. For the detailed security status of ruby-rack-cors please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-rack-cors Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl91yNkACgkQgj6WdgbD S5YjpA//SG8OZ3YwH0G1rWF94AhYmAvF7zyh3b0GOH+QJVIzL4VaMrEPVfxJizDu XjyY7pv1a7gmV5yuo8VBD5VartNRtqyaS2/M4/HjSWtKEGlNkCcWKgJ/R15X934y /GO88t76fDiibk/FlUGfWSHM/X/zen/0fB4kDnTIN6oM87vXpTIkapdheCEGabKv TEut0suGIXpoEbLQ/B8R3l9lbq0h0rwq3O2JvuFbhIDxrCQ8uidGXkHm3ZpHE3b3 j84dXRBWivS/8QXjRe01Mgk2WuAh+h78RClWR3z6+TVTOtYriXeA8CV3ck6eVfIT tqINLmn86ov3nXE6YovWT1BLDG0KNQ+WRk2D41iQehKOuZBw2HgDzGuiOqPUqfiU XQkUDSeZ4ZBP37QWg1eGd6JJlTdQRp0qVKF3AfTnWRYiBI0ZzDoJkq8BiNmIHjIg dNO0bN2C0wm4ORgIvVt6L60foTYCn2KqgBeDWmWA7ErZqauARW/SK182usDZTHrb gUVKogEVr1WsTQd4Af4YvK2CSlsZqsqU3KAzaAFI2K/jBtW/M7vyfWfnVF/2av4J CjOYi7nUif/oCOkQ4kPW6k6H1QhrzDgeE55s2p1LkDqlbHvGKiPM5OQtDwAyuAyR qAn3NM2ZQW6spEP4P6xegY6nYxoPByhAaNUim99hHvsdLeRrLgA= =zohz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX3Zn/+NLKJtyKPYoAQg1wg//Qd1/jFuV3TjWhQN8o8wqgdwFYb6wcB4A UI/iH3fphkFtAXAx1q//hsIf9FStysWVXyIe70GDUqzcxduHB3AJqYkYsM69OSyk PfAPUrvDqTQuCTT9ihLImyKAPmQFF/qxg1iQD73wcUdMFmEATJaAAv2Sa22l0NCJ j45HH1vTN4BU5e+rNpMonQZFFEP6AHXldby97ean81jY2wAmnprIQuqS3cdgOQ/y xWq1FnnfcNyDjXMThmmTEHBtLstj5E8AyswNUdFwRbOYgeQYgdMX1UYdLJBcNYA3 bIy5o/5o99VvHsmgheKxMgVokE1Dk3OZMakYJFOOaVwuIEOtCGp0kBQKmdgrfD2r i3Z/bW40lLi0V3UgYBdnRJkJTmy4ocpXmMu/FTbO5ER9tM//yw0wnSo9T/OhrG24 CUiiv2r+eZN8SWyTMCYtc1hTUsmeC6cSU/24BEYdA0T9ZuSZ/Ztb8F8fUwS57Mvu YombQGsestj4bkBgmgFJ7ECb2umkuEGTR+iQ7k/Wy2BMcEG7Y8HwAtOnw+9WL9CL fCIIWFcPoI6XG7ORpt8s1tqHUifsBjhiJP1XHMcqOX0DwXp/hEmGYNEtVZSCH09L T3s/wUqGAU+GGyAH6S0QJlzhlp3ZomHLqiBYMw0uaE4lqarKpGuFWPrzb/kHBPDT wmmGcd44Vbw= =kYmo -----END PGP SIGNATURE-----