[DRE-maint] Bug#954304: marked as done (rails: CVE-2020-5267: Possible XSS vulnerability in ActionView)

[Debian Bug Tracking System]

Your message dated Sun, 22 Mar 2020 20:42:04 +0000
with message-id <e1jg7q4-000g5l...@fasolo.debian.org>
and subject line Bug#954304: fixed in rails 2:4.2.7.1-1+deb9u2
has caused the Debian Bug report #954304,
regarding rails: CVE-2020-5267: Possible XSS vulnerability in ActionView
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
954304: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954304
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: rails
Version: 2:5.2.4.1+dfsg-1
Severity: important
Tags: security upstream
Control: found -1 2:6.0.2.1+dfsg-2
Control: found -1 2:5.2.2.1+dfsg-1
Control: found -1 2:4.2.7.1-1+deb9u1
Control: found -1 2:4.2.7.1-1

Hi,

The following vulnerability was published for rails.

CVE-2020-5267[0]:
| In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible
| XSS vulnerability in ActionView's JavaScript literal escape helpers.
| Views that use the `j` or `escape_javascript` methods may be
| susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and
| 5.2.4.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-5267
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5267
[1] https://www.openwall.com/lists/oss-security/2020/03/19/1

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: rails
Source-Version: 2:4.2.7.1-1+deb9u2
Done: Utkarsh Gupta <utka...@debian.org>

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 954...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <utka...@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 22 Mar 2020 18:05:32 +0530
Source: rails
Binary: ruby-activesupport ruby-activerecord ruby-activemodel ruby-activejob 
ruby-actionview ruby-actionpack ruby-actionmailer ruby-railties ruby-rails rails
Architecture: source all
Version: 2:4.2.7.1-1+deb9u2
Distribution: stretch
Urgency: high
Maintainer: Debian Ruby Extras Maintainers 
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utka...@debian.org>
Description:
 rails      - MVC ruby based framework geared for web application development (
 ruby-actionmailer - email composition, delivery, and receiving framework (part 
of Rai
 ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part 
of R
 ruby-actionview - framework for handling view template lookup and rendering 
(part o
 ruby-activejob - job framework with pluggable queues
 ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
 ruby-activerecord - object-relational mapper framework (part of Rails)
 ruby-activesupport - Support and utility classes used by the Rails 4.1 
framework
 ruby-rails - MVC ruby based framework geared for web application development
 ruby-railties - tools for creating, working with, and running Rails 
applications
Closes: 954304
Changes:
 rails (2:4.2.7.1-1+deb9u2) stretch; urgency=high
 .
   * Team upload.
   * Add patch to fix possible XSS vector in JS escape helper.
     (Fixes: CVE-2020-5267) (Closes: #954304)
Checksums-Sha1:
 c300ac1bd8e8f45750b4d91ef7a1fb207bd92009 3548 rails_4.2.7.1-1+deb9u2.dsc
 d8389a376f2b03547b1ce8f8df26f69f85e65d42 4181681 rails_4.2.7.1.orig.tar.gz
 6439db84d2b6446fb190ff854550750cb4a197a0 94208 
rails_4.2.7.1-1+deb9u2.debian.tar.xz
 bd7d1f74b6e79e84df9ffc318498b47c2e4a5e20 13298 rails_4.2.7.1-1+deb9u2_all.deb
 03b8d231db1fa28d8bfebfa16ca4a6d7c3483c7c 11382 
rails_4.2.7.1-1+deb9u2_amd64.buildinfo
 83bbdba3062e21e010c7aa1ac84440c167dd4538 35694 
ruby-actionmailer_4.2.7.1-1+deb9u2_all.deb
 a14f9a10655fe94da13f6a191164ee08cf358d08 168240 
ruby-actionpack_4.2.7.1-1+deb9u2_all.deb
 fdaa51d8a49b7b8ff76da6f37f0190f2b076c6e1 131398 
ruby-actionview_4.2.7.1-1+deb9u2_all.deb
 97e0e719b90932cf3b1d32a9e4045714e7e7b9b2 28030 
ruby-activejob_4.2.7.1-1+deb9u2_all.deb
 17ab5446143d76d9775755e9f46270b5e6acfca9 51218 
ruby-activemodel_4.2.7.1-1+deb9u2_all.deb
 f7cc3a14ec538152979aaebfa95934774115117c 281934 
ruby-activerecord_4.2.7.1-1+deb9u2_all.deb
 d5e074dce95514835bd777db3e782a63cab651fa 210718 
ruby-activesupport_4.2.7.1-1+deb9u2_all.deb
 52b50c87ea729b0c4a5896a727e78d87d5fe73ab 18094 
ruby-rails_4.2.7.1-1+deb9u2_all.deb
 d952bbd5d64f0845f91c844530948a203df6cb0b 122880 
ruby-railties_4.2.7.1-1+deb9u2_all.deb
Checksums-Sha256:
 007b7b48fe9b86592846c2061cf0985ed75c49ee858ace690d2e0a2330701287 3548 
rails_4.2.7.1-1+deb9u2.dsc
 bfa7854f1b35e449b78db2af83fe660f17b101a487728fcfc6fb623967fb4783 4181681 
rails_4.2.7.1.orig.tar.gz
 cb2f5fe16a8991ae1e9977858657b698592a68406d17f131c1b14b8b8bb217ef 94208 
rails_4.2.7.1-1+deb9u2.debian.tar.xz
 cbad8121686fe903f56ae6fbe17f302f2f063e6c4fa87b1e367da4736d535f4b 13298 
rails_4.2.7.1-1+deb9u2_all.deb
 0f597718bceb7f561f89ae58358671111604246b4a71767efaf62ed7b1fdddaf 11382 
rails_4.2.7.1-1+deb9u2_amd64.buildinfo
 1ea13420eb01001b59ec748d018e349ad8563704ada105425dcc0bbf51675952 35694 
ruby-actionmailer_4.2.7.1-1+deb9u2_all.deb
 d613197c377aa556f78db12a1779dadbb44322e17ead77263c79356b1b8a74bf 168240 
ruby-actionpack_4.2.7.1-1+deb9u2_all.deb
 d80aa363c39699276751f7ee34fa80d68d658edbd2db9407621d3c4b4735e8ee 131398 
ruby-actionview_4.2.7.1-1+deb9u2_all.deb
 119c483e2f4cb64192e23996813e75fc9f45bc71e57028e1402d18bd3dd842a9 28030 
ruby-activejob_4.2.7.1-1+deb9u2_all.deb
 6ea2ebb05325ce716e8d7b3e8edbb164fb9734d107abdab5064e0e0c812177c6 51218 
ruby-activemodel_4.2.7.1-1+deb9u2_all.deb
 ede034d65282fd3417ceeaffe307c02636fd81a0917d4e7312fc0fb0b16c1918 281934 
ruby-activerecord_4.2.7.1-1+deb9u2_all.deb
 29201c57827e7fd969dfb6cfb49785bcf589133b1846a3fbeb728ce8de7a13a2 210718 
ruby-activesupport_4.2.7.1-1+deb9u2_all.deb
 425f90d869cc8192f54566a46a51ce8dc52ab81c8c0438ff5467e29f80878007 18094 
ruby-rails_4.2.7.1-1+deb9u2_all.deb
 09f1c86756c0d39d1a31ef21fcdffc595769432a0ca918514f0c61218250ef3d 122880 
ruby-railties_4.2.7.1-1+deb9u2_all.deb
Files:
 a1781df2dc078b1c7059e14b0b48114c 3548 ruby optional rails_4.2.7.1-1+deb9u2.dsc
 d6755586a995283c91f15d857ef74387 4181681 ruby optional 
rails_4.2.7.1.orig.tar.gz
 6b8f77788437b95bde2229adad61aad3 94208 ruby optional 
rails_4.2.7.1-1+deb9u2.debian.tar.xz
 3323734da4166ebc94af8e7eb53e4867 13298 ruby optional 
rails_4.2.7.1-1+deb9u2_all.deb
 71c9fa29629a4366711555d7b57b81d4 11382 ruby optional 
rails_4.2.7.1-1+deb9u2_amd64.buildinfo
 16010ec3a43cb8ebf4c8c873da199aa6 35694 ruby optional 
ruby-actionmailer_4.2.7.1-1+deb9u2_all.deb
 3460c0797de268057ece4b703a0ddf4a 168240 ruby optional 
ruby-actionpack_4.2.7.1-1+deb9u2_all.deb
 7aa2c1d9bea4c1cc59b7e2a4099530c0 131398 ruby optional 
ruby-actionview_4.2.7.1-1+deb9u2_all.deb
 387f5c015b629c89d0abeb9012debd73 28030 ruby optional 
ruby-activejob_4.2.7.1-1+deb9u2_all.deb
 6c01ef89a2ef841b83490124ade5d148 51218 ruby optional 
ruby-activemodel_4.2.7.1-1+deb9u2_all.deb
 2d23f86afd11afa21544b8ad9d168dfc 281934 ruby optional 
ruby-activerecord_4.2.7.1-1+deb9u2_all.deb
 c0fd2c7300ebf9c967ba7700099965b9 210718 ruby optional 
ruby-activesupport_4.2.7.1-1+deb9u2_all.deb
 97cb7ad36a70b5fddfdbfdd800f94578 18094 ruby optional 
ruby-rails_4.2.7.1-1+deb9u2_all.deb
 d404a285b8deb9f20c4d634bb05578ed 122880 ruby optional 
ruby-railties_4.2.7.1-1+deb9u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl53Yf8THHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlo71D/0XiO1LrbbEZoWVfGkvGKu0tPdEzm5B
FwILvm0MQ9EB92zJ7PGgsettCYCm2GRgkYZFKZ15McuQqbNX+bFDIb83f8IVvc7d
MxvPBXnEA0FI7ddUG3IoBiQwcCn4YWCrxn2Ti66MbX7aKW22Sw/u0eXpoyu9HSAz
bBwglVw5Ml1E7yOWaOIPwH4Cn/uTFhazKH0NkPUvRPzwgohbE0bQugD9qIiFp8pp
roCso96M5PJH812h8xX3bfYuJOuayz8HH0ftk1mxMKjfv5GKf8mUGSt6oY2Xkixt
yTtVLiLKrATDWIw1dFrdMh988WLJomKcfDmWAHWE7SiLyjRM8dkS+u3TgVcOsBFE
izOmDoco19wNhtg5uwGd42rm5oTiYaLThQVDkjhVN0mIXpGcvrT2VjlBE4fJtzdz
Srk1QydZ7XhKkLm4aR32WPah4cmOo1hOMUqnX5T2XSBOz/KFGlE6hkO5KFbeoheS
0PpTPhlGpVkvQuvfyDghqssw+GSTsniM12w1HKq364jV7FKKa1B3JTje9IUMOd6a
6RxGEUEGnMwu+irQ9u+NDUSWDY6zE5B6xx7eqKF+TL8ToZd7MQj8gNoLye2uZjHf
2tLrWDHAnW57ROPMM5UQvFjcHjW3KSuSX0kmwBnr3ME/QuY1MCJNw+Y2NwF6jr1H
r6cKPwsLWqyPTw==
=hVyG
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers