Your message dated Sun, 22 Mar 2020 19:52:19 +0000
with message-id <[email protected]>
and subject line Bug#954304: fixed in rails 2:5.2.2.1+dfsg-1+deb10u1
has caused the Debian Bug report #954304,
regarding rails: CVE-2020-5267: Possible XSS vulnerability in ActionView
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
954304: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954304
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rails
Version: 2:5.2.4.1+dfsg-1
Severity: important
Tags: security upstream
Control: found -1 2:6.0.2.1+dfsg-2
Control: found -1 2:5.2.2.1+dfsg-1
Control: found -1 2:4.2.7.1-1+deb9u1
Control: found -1 2:4.2.7.1-1
Hi,
The following vulnerability was published for rails.
CVE-2020-5267[0]:
| In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible
| XSS vulnerability in ActionView's JavaScript literal escape helpers.
| Views that use the `j` or `escape_javascript` methods may be
| susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and
| 5.2.4.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-5267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5267
[1] https://www.openwall.com/lists/oss-security/2020/03/19/1
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rails
Source-Version: 2:5.2.2.1+dfsg-1+deb10u1
Done: Utkarsh Gupta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 22 Mar 2020 18:47:31 +0530
Source: rails
Binary: rails ruby-actioncable ruby-actionmailer ruby-actionpack
ruby-actionview ruby-activejob ruby-activemodel ruby-activerecord
ruby-activestorage ruby-activesupport ruby-rails ruby-railties
Architecture: source all
Version: 2:5.2.2.1+dfsg-1+deb10u1
Distribution: buster
Urgency: high
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Description:
rails - MVC ruby based framework geared for web application development (
ruby-actioncable - WebSocket framework for Rails (part of Rails)
ruby-actionmailer - email composition, delivery, and receiving framework (part
of Rai
ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part
of R
ruby-actionview - framework for handling view template lookup and rendering
(part o
ruby-activejob - job framework with pluggable queues
ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
ruby-activerecord - object-relational mapper framework (part of Rails)
ruby-activestorage - Local and cloud file storage framework (part of Rails)
ruby-activesupport - Support and utility classes used by the Rails 4.1
framework
ruby-rails - MVC ruby based framework geared for web application development
ruby-railties - tools for creating, working with, and running Rails
applications
Closes: 954304
Changes:
rails (2:5.2.2.1+dfsg-1+deb10u1) buster; urgency=high
.
* Team upload.
* Add patch to fix possible XSS vector in JS escape helper.
(Fixes: CVE-2020-5267) (Closes: #954304)
Checksums-Sha1:
f93405af4a9126d6a3f9fcdbe1d696de349f3600 4417 rails_5.2.2.1+dfsg-1+deb10u1.dsc
89e94af74ee9bc3229d4e6ef1af562ccd3313662 6143580 rails_5.2.2.1+dfsg.orig.tar.xz
043303fdcd450f3b050993f100a14ac5f97818c2 88092
rails_5.2.2.1+dfsg-1+deb10u1.debian.tar.xz
a760da339db136c4a426b55a6e3e91059af5cf7a 14680
rails_5.2.2.1+dfsg-1+deb10u1_all.deb
a3ca4169bdc15ac0461e2d07aea3e960afb58da1 21930
rails_5.2.2.1+dfsg-1+deb10u1_amd64.buildinfo
6f3afef0020c484679d5f5ba5af89625ff617fd2 42064
ruby-actioncable_5.2.2.1+dfsg-1+deb10u1_all.deb
f394d8aabb01d8096b72b1adcfff0927dba3a499 37796
ruby-actionmailer_5.2.2.1+dfsg-1+deb10u1_all.deb
716a1b5b7870de6739c62ab80a55fa15b4920e80 183984
ruby-actionpack_5.2.2.1+dfsg-1+deb10u1_all.deb
0d5283c7805f30deb0754801152568ea5e74760f 143940
ruby-actionview_5.2.2.1+dfsg-1+deb10u1_all.deb
4958612376af44e3844a765567d56e740b3ff5a0 34660
ruby-activejob_5.2.2.1+dfsg-1+deb10u1_all.deb
5396736cef9d8628afbb6ac6eaa88038e5860a95 60404
ruby-activemodel_5.2.2.1+dfsg-1+deb10u1_all.deb
c15867f3b1350a95098f05b8e77024936aa7494f 289720
ruby-activerecord_5.2.2.1+dfsg-1+deb10u1_all.deb
236ae384309071aff572867c6c90acd5921d8418 49280
ruby-activestorage_5.2.2.1+dfsg-1+deb10u1_all.deb
d8770edb44c798c83b4dec5c5f3f00329484f3fa 236512
ruby-activesupport_5.2.2.1+dfsg-1+deb10u1_all.deb
d2b19eef6859e3ecffc6baeab332befedba4d97d 18816
ruby-rails_5.2.2.1+dfsg-1+deb10u1_all.deb
f7f7926ce72da1442529ec2a8c969230467da089 224116
ruby-railties_5.2.2.1+dfsg-1+deb10u1_all.deb
Checksums-Sha256:
0b281696ac5c09a65045f8d3f83968a4d6311665533c3374d1f38eab2f2f0df3 4417
rails_5.2.2.1+dfsg-1+deb10u1.dsc
152ca2e473cd10de7fe319e145fac7165368d136b115b37ac5f7e261dc98fa60 6143580
rails_5.2.2.1+dfsg.orig.tar.xz
642a789cb05c54b79c25d7b34e6f47c91c841998d2e82aadaa49dcde1aa8a797 88092
rails_5.2.2.1+dfsg-1+deb10u1.debian.tar.xz
5a65c81122f37001cd3e9b621bc2b6b3dfdc7e38eefc5ea5f75e1a673524e29e 14680
rails_5.2.2.1+dfsg-1+deb10u1_all.deb
1f05c485bb621749e6bf6208dfaac85e762093fbbc1fe4e616cb179184ee6521 21930
rails_5.2.2.1+dfsg-1+deb10u1_amd64.buildinfo
1b5a0621176f5e7df3c2c4952784a21fb915af7e504e353eb3fe0e67df3b5ece 42064
ruby-actioncable_5.2.2.1+dfsg-1+deb10u1_all.deb
1146f96dd5af99e433d0ccc9cace14b2a5df928d148425c46a71d32487398756 37796
ruby-actionmailer_5.2.2.1+dfsg-1+deb10u1_all.deb
94f11bc80cd73c90d8d2a996cd088bfbbab02bc82fd965bb5983e60d8a0c2a05 183984
ruby-actionpack_5.2.2.1+dfsg-1+deb10u1_all.deb
0d4ba059677f5bc739b53dee71c4397eebfbbd6ea96b652cabbbaee3a3655388 143940
ruby-actionview_5.2.2.1+dfsg-1+deb10u1_all.deb
990507f3a5fd3a80e90629cea98db9fb425719b54560ae4a6270fe3c35088a3b 34660
ruby-activejob_5.2.2.1+dfsg-1+deb10u1_all.deb
c9f2dfbeb10c3a85283297feed25c70758c54f334ece1347a8c04a415d12702e 60404
ruby-activemodel_5.2.2.1+dfsg-1+deb10u1_all.deb
f3c09c973c0901d826c771fdc547cfb61a13ca3f6146956bb5147bae70938e7c 289720
ruby-activerecord_5.2.2.1+dfsg-1+deb10u1_all.deb
439c5b1802c6bd1990cb8bdd76bccffc0280b2ae23b015f7d9b01d6ac1782af7 49280
ruby-activestorage_5.2.2.1+dfsg-1+deb10u1_all.deb
ab9f258391cb9853c32b84e6f5b7a96a60468ee5d3deed49679402382b5f15bb 236512
ruby-activesupport_5.2.2.1+dfsg-1+deb10u1_all.deb
46c901280c69f4a3f4e6a9689f772c292c5f9987055222ca084e76e8ad7a522b 18816
ruby-rails_5.2.2.1+dfsg-1+deb10u1_all.deb
f4ed973d96aedb974be4c0d6b399d1df4cecb71ef974a8756e4ebcfc59ad4449 224116
ruby-railties_5.2.2.1+dfsg-1+deb10u1_all.deb
Files:
42d34449f6c5bd877875e79a6e4fca1a 4417 ruby optional
rails_5.2.2.1+dfsg-1+deb10u1.dsc
e7a6fc5e34aa81571b98d962770e290e 6143580 ruby optional
rails_5.2.2.1+dfsg.orig.tar.xz
2a2ffddae06663c9d8b282ee74106240 88092 ruby optional
rails_5.2.2.1+dfsg-1+deb10u1.debian.tar.xz
90fa0c24d96c699a36951e3004ae4b55 14680 ruby optional
rails_5.2.2.1+dfsg-1+deb10u1_all.deb
53dffacd63cd198c0954c77f0cff88a7 21930 ruby optional
rails_5.2.2.1+dfsg-1+deb10u1_amd64.buildinfo
c3a661d9e4f866b8810a317b06eab9f3 42064 ruby optional
ruby-actioncable_5.2.2.1+dfsg-1+deb10u1_all.deb
e9dc2b713877f3ce2ebb60972987160a 37796 ruby optional
ruby-actionmailer_5.2.2.1+dfsg-1+deb10u1_all.deb
93314a3b05efec3be4a6ee59fc64b1a2 183984 ruby optional
ruby-actionpack_5.2.2.1+dfsg-1+deb10u1_all.deb
f712ce062092d1195c55f86076498024 143940 ruby optional
ruby-actionview_5.2.2.1+dfsg-1+deb10u1_all.deb
3251962cfee12e3a87efc19df9dab07b 34660 ruby optional
ruby-activejob_5.2.2.1+dfsg-1+deb10u1_all.deb
6f94b204895f9ef4c3e91d6d576842ae 60404 ruby optional
ruby-activemodel_5.2.2.1+dfsg-1+deb10u1_all.deb
33e8beff6d5dcd680debb9a28c4a04b2 289720 ruby optional
ruby-activerecord_5.2.2.1+dfsg-1+deb10u1_all.deb
1f2a5dec9ec0021aee8ea075a61b0547 49280 ruby optional
ruby-activestorage_5.2.2.1+dfsg-1+deb10u1_all.deb
f1fbe9d2ba18df484e2c278fd0c3efb0 236512 ruby optional
ruby-activesupport_5.2.2.1+dfsg-1+deb10u1_all.deb
4af1c6129b1d35d9371d6f854cba5f79 18816 ruby optional
ruby-rails_5.2.2.1+dfsg-1+deb10u1_all.deb
1bf59fce00ae76fab5d814f4c876cb0c 224116 ruby optional
ruby-railties_5.2.2.1+dfsg-1+deb10u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl53cnATHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlmYaD/9EBa7vtmmMOpIXgBaPKCHpkPCaBFNv
37tSi4nYWgSD5kZM0AyzC/kcQRGz5BRzoKHXIPA5DNMvTEDCh74rIRA6+/LYWYAP
jYxCX12M8JLy+B5j2UHn5yNOc6Wezc4ll65YM9G8j4UaJPLhkkZNbtEccZJZa8OH
iGN3V2/ZT8PB7wTpoxCAcJFqnaRM9UOrwOpvMtCo8L60wBEX9Jskr7mtOEvD6n99
7sLvuc6HT5hobEUWl7Zm3z9iCuhUDD1d1QYPQEu9b6H15Yl2btdYnMoULYiaYOV5
L5Wo2SVNN6wAVfftByrbj+VvLBS8gIMvPd4fDjGlc4ymbgEURLOZFb6IwK0tgwep
fhMO8F8F7XDwDC8/Pox7u3uGweXLhDBLU0PSXY4stERykNKeiuaJYA3rbDhPs3rL
RtVE8EXR+0SyMzX1Fu6qaC6dggs0tmfrcSE0o4PQaDdKEcsZjobYbDFyQIY1JHiv
oJv/2Z7AdOXeboyGQHn7Rffz2/94xwhRUPAQXca+f1blXVB2D+yxWokXZJmHgq4I
jDaAPGPzpyhx2QK3ReT8X3k1D5fVHbFSFrIScIJq98giYzX4oQAmqaa5y9M06OVq
fj8rppYkNcWY4Wk7vppxwRSW70iy8JxWmenAU42aWW/75amJVRoa43Wfolh48ICK
3fOYoJCiqg4OMg==
=IkZM
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
