Bug#1089755: marked as done (rails: CVE-2024-54133: Possible Content Security Policy bypass in Action Dispatch)

Sat, 15 Mar 2025 09:25:22 -0700 

Your message dated Sat, 15 Mar 2025 00:38:45 +0530
with message-id 
<capp0f95jex5t4k7ywsyavkos818hpqmc8k41d_ngt-a8a0m...@mail.gmail.com>
and subject line Bug#1089755: fixed in rails 2:7.2.2.1+dfsg-1
has caused the Debian Bug report #1089755,
regarding rails: CVE-2024-54133: Possible Content Security Policy bypass in 
Action Dispatch
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1089755: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: rails
Version: 2:6.1.7.3+dfsg-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2:5.2.0+dfsg-1

Hi,

The following vulnerability was published for rails.

CVE-2024-54133[0]:
| Action Pack is a framework for handling and responding to web
| requests. There is a possible Cross Site Scripting (XSS)
| vulnerability  in the `content_security_policy` helper starting in
| version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1,
| 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy
| (CSP) headers dynamically from untrusted user input may be
| vulnerable to carefully crafted inputs being able to inject new
| directives into the CSP. This could lead to a bypass of the CSP and
| its protection against XSS and other attacks. Versions 7.0.8.7,
| 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround,
| applications can avoid setting CSP headers dynamically from
| untrusted input, or can validate/sanitize that input.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-54133
    https://www.cve.org/CVERecord?id=CVE-2024-54133
[1] https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: rails
Source-Version: 2:7.2.2.1+dfsg-1
Done: Utkarsh Gupta <[email protected]>

This is already fixed in the 2:7.2.2.1+dfsg-1 upload. Marking that as such.


- u

--- End Message ---

Reply via email to