Your message dated Fri, 20 Mar 2020 00:07:11 +0000
with message-id <[email protected]>
and subject line Bug#954304: fixed in rails 2:5.2.4.1+dfsg-2
has caused the Debian Bug report #954304,
regarding rails: CVE-2020-5267: Possible XSS vulnerability in ActionView
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
954304: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954304
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rails
Version: 2:5.2.4.1+dfsg-1
Severity: important
Tags: security upstream
Control: found -1 2:6.0.2.1+dfsg-2
Control: found -1 2:5.2.2.1+dfsg-1
Control: found -1 2:4.2.7.1-1+deb9u1
Control: found -1 2:4.2.7.1-1
Hi,
The following vulnerability was published for rails.
CVE-2020-5267[0]:
| In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible
| XSS vulnerability in ActionView's JavaScript literal escape helpers.
| Views that use the `j` or `escape_javascript` methods may be
| susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and
| 5.2.4.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-5267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5267
[1] https://www.openwall.com/lists/oss-security/2020/03/19/1
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rails
Source-Version: 2:5.2.4.1+dfsg-2
Done: Utkarsh Gupta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 20 Mar 2020 05:10:56 +0530
Source: rails
Architecture: source
Version: 2:5.2.4.1+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 954304
Changes:
rails (2:5.2.4.1+dfsg-2) unstable; urgency=medium
.
* Add patch to fix possible XSS vector in JS escape helper.
(Fixes: CVE-2020-5267) (Closes: #954304)
Checksums-Sha1:
52ead23db0a74dca987c1ad1e0ca4c61c3271439 4394 rails_5.2.4.1+dfsg-2.dsc
25fc2250a8f11c85eb7a0b66d7769b06e5c0290e 88536
rails_5.2.4.1+dfsg-2.debian.tar.xz
0a0e80598d17c1eb10fa195b2130778df68a85d0 19661
rails_5.2.4.1+dfsg-2_amd64.buildinfo
Checksums-Sha256:
0871c2d850f3e867958c3dd3ab6de7fabb09e87378701d800bb2c765836325b8 4394
rails_5.2.4.1+dfsg-2.dsc
f62dc996f0c4fb0aa46a3de4b2a6f450905edbfda9f4ecfc7c051e46c894fa44 88536
rails_5.2.4.1+dfsg-2.debian.tar.xz
c8747bacafee008bf89a569f563d9eb316abb643d4fb017f7720cd605e5229bd 19661
rails_5.2.4.1+dfsg-2_amd64.buildinfo
Files:
ddd28d616b8b6f733f440db761b2aa75 4394 ruby optional rails_5.2.4.1+dfsg-2.dsc
79e6d355cc8c5c877f86f8f2031e2b13 88536 ruby optional
rails_5.2.4.1+dfsg-2.debian.tar.xz
00e923c0ca6423294066004ea70cedc7 19661 ruby optional
rails_5.2.4.1+dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl50BQ8THHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlrCiD/91IPasUskL0w6TqWj/ouddt39mFo29
QDjMsKKbEISaRb7WZ2gUBcMUQByIBA3YRdsaZ3JilfetOJoWcpctNsYZ7bdnVXhn
02axHphZKEn5v8CjNheLNAONOEJWpAEYDOYAyiwwgUTEmJjXiXV1EQC89YAtBQrg
g7FEtasCvqEGmgpijn+Lj1+bw84g6LOvjB0dRtsAyzeuiExgjvLLMWbsFdMUgRqI
3C2Dv+H/YTeVVT2c2bHe6fqLK9TYItJDF60KXF6e57WsLtn/8ajbL030RhprcBYk
NzUOQKrviZ15Z0puyvS/vcQlL2dVPgPPw0dUHtccGfN5F7iQfEzROCKHu9NrtPbg
Fgs1zT14tOVCoTicXqAr0Xb6VU4cl+hCmvlzK2Joo66hTQGDmYYujj7377sr2vtI
l01ggY45q3CQ2STZ+fVRUFjTDvkvN5YPPRKscM6ExWUH3iGZjdrnkZfJ7oycpmTK
BoWpKOsnlw7EfSxFnKsyjN1hocacbGGz2rxNfb5vTqYqwaZssI255SaN8jNxkGal
Aj6+PeCMwg6z8lLIjJsvgp6KGgy8CVh0GBnwTvE8N8EdJFSXJQ4Dwx2uF5mM9Qxt
6iR7yazgsyGYUtt/Alpt7L5nYdpmJ3FsxYnwaKLqwCYsW/B+dSV4xhj9MFY5Iqp/
cD2uPF/Xo1I0GA==
=Jumr
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
