-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4578-1 [email protected] https://www.debian.org/lts/security/ Sylvain Beucler May 11, 2026 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : rails Version : 2:6.0.3.7+dfsg-2+deb11u5 CVE ID : CVE-2022-32224 Debian Bug : 1016140 A RCE (Remote Code Execution) escalation was discovered in Ruby on Rails, a MVC Ruby-based framework for web development. This vulnerability exists when using YAML-serialized columns in Active Record which could allow an attacker, who was able to manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE. Common and safe YAML serialization is handled in this update (support for primary Ruby data types and Symbol, as well as newly-serialized HashWithIndifferentAccess objects). If your application serializes other classes as YAML, see the following page to reference these classes in config.active_record.yaml_column_permitted_classes, or disable protection entirely (not recommended, at your own risks) with config.active_record.use_yaml_unsafe_load=true. https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017 For Debian 11 bullseye, this problem has been fixed in version 2:6.0.3.7+dfsg-2+deb11u5. We recommend that you upgrade your rails packages. For the detailed security status of rails please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rails Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmoB2QAACgkQDTl9HeUl XjDm3RAApdNJevL0ktxrKPD8JU8XQL+bQ81e2tyNYHjlsFNJhH+SwIhFT1I6RudH P9ZHteI/DCiLT7/1QZxooBRIFPAumVg0OOznECOVdMHY+G19IVuKLHFfjaaW6upP jGOn+Bq4Siptdw8pN3LrlVYLxLH3op0beoIwn5JNhfMkvXbw6d6Y1YM+X2q+/1k9 xaDyL76LtQFvtP1R9DkLa7fZj6mMwwymhXlzT8MzXO2qUozyqRn3MBqVwCrTsfQd 6FN8M8JAIlci04tXAmFfNhv3cWOAzfwDma2H/RYFdP3slkU3U3lvRP6vP8s7NW15 1EmTzH/PpA7qTHio268hVqnNGJYsYQBByTswXBUD9Jmmm86ivwIjKTk1mx6JEeq4 99IbMAECS5uDy7RZDVY30DN+BT0T5q798fpgqwHTyqT7QwN1vIiveBYTzXqd6zLl s6EP/R2LPFq/Xt1UpmYtF59wDRtMyIR6K2J26Wzo1VKw0Bw0GiCe5qhOJwVaoSuL TfVCX5VkL4KqjZqdC7oNoyspQeXySBgNn4Y0WuZ/WatZ4fejzzABswBtgO/3yQAm oWD42Swtf75R2DZxnQsVb/eaRhBkVuYbUsKMLAFl+yGM0q4M434JGezkOQlSJr7C 4tHZNUGjx6oWJhJJ0+gJinANdl2Bg/0jWTh6nveDa8nnwUFB8J0= =9OpW -----END PGP SIGNATURE-----
