seeing is believing

Debian Security Advisory 3509-1

Debian Security Advisory 3509-1
Posted Mar 10, 2016
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3509-1 - Two vulnerabilities have been discovered in Rails, a web application framework written in Ruby. Both vulnerabilities affect Action Pack, which handles the web requests for Rails.

tags | advisory, web, vulnerability, ruby
systems | linux, debian
advisories | CVE-2016-2097, CVE-2016-2098
MD5 | 0b7240331abe38630d6dfbe37fea3330

Debian Security Advisory 3509-1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3509-1 security@debian.org
https://www.debian.org/security/ Luciano Bello
March 09, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rails
CVE ID : CVE-2016-2097 CVE-2016-2098

Two vulnerabilities have been discovered in Rails, a web application
framework written in Ruby. Both vulnerabilities affect Action Pack, which
handles the web requests for Rails.

CVE-2016-2097

Crafted requests to Action View, one of the components of Action Pack,
might result in rendering files from arbitrary locations, including
files beyond the application's view directory. This vulnerability is
the result of an incomplete fix of CVE-2016-0752.
This bug was found by Jyoti Singh and Tobias Kraze from Makandra.

CVE-2016-2098

If a web applications does not properly sanitize user inputs, an
attacker might control the arguments of the render method in a
controller or a view, resulting in the possibility of executing
arbitrary ruby code.
This bug was found by Tobias Kraze from Makandra and joernchen of
Phenoelit.

For the stable distribution (jessie), these problems have been fixed in
version 2:4.1.8-1+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 2:4.2.5.2-1.

For the unstable distribution (sid), these problems have been fixed in
version 2:4.2.5.2-1.

We recommend that you upgrade your rails packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW4FkEAAoJEG7C3vaP/jd0VUwP/i8VGs83jQkZ8QlNpP8QlhS5
7coDFyerpNk/7TkVgR42PeY50gkgFBBdR1Dxr3XLsb3EDFNz6r6DceEDT145Ym0t
X9E0fgkRFv1ShxK2SkrWAV3IVkuvgJuAEXdKk6/qbOy816BQurAPjgm/ULaG/BiR
BaEyxd5N+t0Bko8szfuiu+kAhkeLhMAa2IjA6f3qFq/aor8pjzqqP1+rfOAd00hU
Xwv6b4jKxQa9gGHcPfnCQd9b+3sVNCo/9K0rN2EdyH8JPUtj2DHrVtekoHG0lRY2
biJzIzXrogUxIfidazJqAvTx3gj5VHKnSDGY+0eKN1Kbx71AnuSk4hB4rgE0WCVq
DEWCfsYKnxcGz48CVtZUUrCmGiNosiJuVy3R+4/qwjc6Idt6Ssw2OwMeUpeghK0J
h6RK98at5DVH4WdxZRZmHsLQl90ckRLqav9z2v01Gnd+v7MzUX7SvcB3Osa4OAaS
gDImML1BOonQFMuQN/mpDT6UbRH96kUZcsrYWt3xIugED1LqS4QLvxr/5LgzoXY8
cPulb11O5EB9XDB4PQmMmrX3bzpAsw5L4l2VYQkQPIm6Gzcoyrugefnm4rjghA2F
1k5qgmi6ESuwonMd+RR0bC5sYCGdAbm6uqwJgkQFeUHJ/csOIUen/3S5rsBq8Bal
P9l9VPGFoFhUL7/HN9Zx
=4cBd
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    8 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close