Your message dated Wed, 19 Mar 2025 19:48:17 +0000
with message-id <[email protected]>
and subject line Bug#1085376: fixed in rails 2:6.1.7.10+dfsg-1~deb12u1
has caused the Debian Bug report #1085376,
regarding rails: CVE-2024-47889 CVE-2024-47888 CVE-2024-47887 CVE-2024-41128
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1085376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rails
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for rails.
CVE-2024-47889[0]:
| Action Mailer is a framework for designing email service layers.
| Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5,
| 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the
| block_format helper in Action Mailer. Carefully crafted text can
| cause the block_format helper to take an unexpected amount of time,
| possibly resulting in a DoS vulnerability. All users running an
| affected release should either upgrade to versions 6.1.7.9, 7.0.8.5,
| 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a
| workaround, users can avoid calling the `block_format` helper or
| upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so
| Rails applications using Ruby 3.2 or newer are unaffected. Rails
| 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.
https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
CVE-2024-47888[1]:
| Action Text brings rich text content and editing to Rails. Starting
| in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1,
| and 7.2.1.1, there is a possible ReDoS vulnerability in the
| `plain_text_for_blockquote_node helper` in Action Text. Carefully
| crafted text can cause the `plain_text_for_blockquote_node` helper
| to take an unexpected amount of time, possibly resulting in a DoS
| vulnerability. All users running an affected release should either
| upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply
| the relevant patch immediately. As a workaround, users can avoid
| calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2.
| Ruby 3.2 has mitigations for this problem, so Rails applications
| using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on
| Ruby 3.2 or greater so is unaffected.
https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
CVE-2024-47887[2]:
| Action Pack is a framework for handling and responding to web
| requests. Starting in version 4.0.0 and prior to versions 6.1.7.9,
| 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS
| vulnerability in Action Controller's HTTP Token authentication. For
| applications using HTTP Token authentication via
| `authenticate_or_request_with_http_token` or similar, a carefully
| crafted header may cause header parsing to take an unexpected amount
| of time, possibly resulting in a DoS vulnerability. All users
| running an affected release should either upgrade to versions
| 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch
| immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2
| has mitigations for this problem, so Rails applications using Ruby
| 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2
| or greater so is unaffected.
https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545
CVE-2024-41128[3]:
| Action Pack is a framework for handling and responding to web
| requests. Starting in version 3.1.0 and prior to versions 6.1.7.9,
| 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS
| vulnerability in the query parameter filtering routines of Action
| Dispatch. Carefully crafted query parameters can cause query
| parameter filtering to take an unexpected amount of time, possibly
| resulting in a DoS vulnerability. All users running an affected
| release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1,
| or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby
| 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so
| Rails applications using Ruby 3.2 or newer are unaffected. Rails
| 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-47889
https://www.cve.org/CVERecord?id=CVE-2024-47889
[1] https://security-tracker.debian.org/tracker/CVE-2024-47888
https://www.cve.org/CVERecord?id=CVE-2024-47888
[2] https://security-tracker.debian.org/tracker/CVE-2024-47887
https://www.cve.org/CVERecord?id=CVE-2024-47887
[3] https://security-tracker.debian.org/tracker/CVE-2024-41128
https://www.cve.org/CVERecord?id=CVE-2024-41128
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: rails
Source-Version: 2:6.1.7.10+dfsg-1~deb12u1
Done: Utkarsh Gupta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 14 Mar 2025 20:02:55 +0530
Source: rails
Built-For-Profiles: noudeb
Architecture: source
Version: 2:6.1.7.10+dfsg-1~deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 1051057 1051058 1065119 1072705 1085376 1089755
Changes:
rails (2:6.1.7.10+dfsg-1~deb12u1) bookworm-security; urgency=medium
.
* New upstream version 6.1.7.10+dfsg.
(Fixes: CVE-2023-28362, CVE-2023-38037, CVE-2024-26144, CVE-2024-28103,
CVE-2024-41128, CVE-2024-47887, CVE-2024-47888, CVE-2024-47889)
(Closes: #1051058, #1051057, 1065119, #1072705, #1085376)
* Add patch to add CSP directive validation.
(Fixes: CVE-2024-54133) (Closes: #1089755)
Checksums-Sha1:
2ca2b6f2e242cab353a2a11a20dd316fe26e185c 4877 rails_6.1.7.10+dfsg-1~deb12u1.dsc
69f028837267e1f74aa8c62d1ce13ec94f6a6148 8174980
rails_6.1.7.10+dfsg.orig.tar.xz
4b2d58afeb86fc5553f44e3c84c21bc108f06140 103476
rails_6.1.7.10+dfsg-1~deb12u1.debian.tar.xz
ba937a51e92f368df9a3e1a8c03206bfafa31e9d 15195
rails_6.1.7.10+dfsg-1~deb12u1_source.buildinfo
Checksums-Sha256:
32177da6ed34c690a9608630a1f68555342f72c5348d94d2fc1153d083c46e02 4877
rails_6.1.7.10+dfsg-1~deb12u1.dsc
54f0c056757697e2fd6887e622c23fac5eb862a65ac497e9e3a5081a3dc57f66 8174980
rails_6.1.7.10+dfsg.orig.tar.xz
cbb48f4c28a09852b6846ede2cd11e40b1ffb88689e863a876158727dda2b678 103476
rails_6.1.7.10+dfsg-1~deb12u1.debian.tar.xz
7c99a36c9faecc6a022613bd83ddfbb9b7963701a1fbfa282d0a6442848dcd4e 15195
rails_6.1.7.10+dfsg-1~deb12u1_source.buildinfo
Files:
b26daf9585af946363cda44bae83b114 4877 ruby optional
rails_6.1.7.10+dfsg-1~deb12u1.dsc
c74492a8355e230b7bcc59feea45cd80 8174980 ruby optional
rails_6.1.7.10+dfsg.orig.tar.xz
95867b02e97a1e162ecdc8649000b08a 103476 ruby optional
rails_6.1.7.10+dfsg-1~deb12u1.debian.tar.xz
c1bc8964c7f0d247ee6da8312d39fff7 15195 ruby optional
rails_6.1.7.10+dfsg-1~deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmfVrKcTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlketEADMfli4VT9UOdYYeFr+1h3Z7TQyvOFO
WYC6XrnjPmg8OveW1trbaoZknOuIOA2YrOzEQp3Nqn5WBSjvvacCzKC/F6fIOUl7
qqqfPZs56m0TvhvYGSMQtG3ckdQY2h6Bvd/65MbUioGwXVP6CDzl73Qmkbfo4NHp
BebKxnTrkliB0QXq7TVxQeh8DwUxhdJ+jfhkSyYVk29Zdz9klYrwV8iLB454+wPX
cRSEu6msqkmzjziv+dq71+pvfyrZj1PSHLIPjSQIsHMUPIceESgXlEs1Jfuo9Xkj
rNCHMxEJ8DMwcVC97P0Z1hVmahtfl4/HLynlU5fRjLaXCRmrRDBElRz4D4G7x2Aa
8WKZzHyfK507C5FxA/50cLQPGNIIfkEMVq5c2zbbL/z3v8x+/LvmZNwC/I0xo894
QkD/PObOBL+1R5MCLqjNLS5SQsgSwqkVNauddZWlQe9gfAvUFojw42/xt7LuGFVM
l88w1jmkZGbccGtRZhd7tqCkrvDTFcuQn4IDTyg6EevQZVexOR3i8iZqJc/QVcHF
cB3RJDAhbcKwot76YoHgKovhPtcHYAjdMkQJf5URbuYvAkpMoYg4KNpuUiftG8eH
2sVMMxWA5nbQBIKFnx16SNE+jpZGlhKLWNXYhj+OtHIgfmeqtllo7EUbJq7NEBuO
DFFB8wKG+zvfjw==
=Va85
-----END PGP SIGNATURE-----
pgpdp96W9gDhc.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
