Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ff078750 by Sylvain Beucler at 2021-07-23T17:51:04+02:00
CVE-2020-8159/ruby-actionpack-page-caching: reference patches
- - - - -
f85b05b8 by Sylvain Beucler at 2021-07-23T17:51:04+02:00
Reserve DLA-2719-1 for ruby-actionpack-page-caching
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -101679,6 +101679,8 @@ CVE-2020-8159 (There is a vulnerability in
actionpack_page-caching gem < v1.2
- ruby-actionpack-page-caching 1.2.2-1 (bug #960680)
[buster] - ruby-actionpack-page-caching <no-dsa> (Minor issue)
NOTE:
https://groups.google.com/forum/#!topic/rubyonrails-security/CFRVkEytdP8
+ NOTE:
https://github.com/rails/actionpack-page_caching/commit/127da70a559bed4fc573fdb4a6d498a7d5815ce2
(v1.2.1)
+ NOTE:
https://github.com/rails/actionpack-page_caching/commit/bf4aab113f90a0c5182009709d5115a1d5772608
(v1.2.2)
CVE-2020-8158 (Prototype pollution vulnerability in the TypeORM package <
0.2.25 m ...)
NOT-FOR-US: TypeORM
CVE-2020-8157 (UniFi Cloud Key firmware <= v1.1.10 for Cloud Key gen2 and
Cloud Ke ...)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[23 Jul 2021] DLA-2719-1 ruby-actionpack-page-caching - security update
+ {CVE-2020-8159}
+ [stretch] - ruby-actionpack-page-caching 1.0.2-4+deb9u1
[23 Jul 2021] DLA-2718-1 intel-microcode - security update
{CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513}
[stretch] - intel-microcode 3.20210608.2~deb9u2
=====================================
data/dla-needed.txt
=====================================
@@ -75,13 +75,6 @@ python-babel
NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch
(abhijith)
NOTE: 20210620: Revisit when it have an assigned CVE Id. (abhijith)
--
-ruby-actionpack-page-caching (Sylvain Beucler)
- NOTE: 20200819: Upstream's patch on does not apply due to subsequent
- NOTE: 20200819: refactoring. However, a quick look at the private
- NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
- NOTE: 20200819: uses the path without normalising any "../" etc., simply
- NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation.
(lamby)
---
ruby-kaminari
NOTE: 20200819: The source in Debian (at least in LTS) appears to have a
different lineage to
NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5df7f6a938a0a4dfe801d220e205f2d936bd0211...f85b05b827a11bdb62b7f74ce0f785bc0f4edb6c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5df7f6a938a0a4dfe801d220e205f2d936bd0211...f85b05b827a11bdb62b7f74ce0f785bc0f4edb6c
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
