Lucene search

DebianDEBIAN:DLA-1739-1:3959D

HistoryMar 31, 2019 - 1:51 p.m.

[SECURITY] [DLA 1739-1] rails security update

2019-03-3113:51:06

lists.debian.org

102

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.2 High

AI Score

Confidence

High

0.975 High

EPSS

Percentile

100.0%

JSON

Package : rails
Version : 2:4.1.8-1+deb8u5
CVE ID : CVE-2019-5418 CVE-2019-5419
Debian Bug : 924520

John Hawthorn of Github discovered a file content disclosure
vulnerability in Rails, a ruby based web application framework.
Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered,
disclosing the file contents.

This vulnerability could also be exploited for a denial-of-service
attack.

For Debian 8 "Jessie", these problems have been fixed in version
2:4.1.8-1+deb8u5.

We recommend that you upgrade your rails packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8allruby-railties< 2:4.1.8-1+deb8u5ruby-railties_2:4.1.8-1+deb8u5_all.deb
Debian9allruby-activemodel< 2:4.2.7.1-1+deb9u1ruby-activemodel_2:4.2.7.1-1+deb9u1_all.deb
Debian8allruby-activesupport< 2:4.1.8-1+deb8u5ruby-activesupport_2:4.1.8-1+deb8u5_all.deb
Debian8allrails< 2:4.1.8-1+deb8u5rails_2:4.1.8-1+deb8u5_all.deb
Debian8allruby-actionmailer< 2:4.1.8-1+deb8u5ruby-actionmailer_2:4.1.8-1+deb8u5_all.deb
Debian9allruby-actionview< 2:4.2.7.1-1+deb9u1ruby-actionview_2:4.2.7.1-1+deb9u1_all.deb
Debian9allruby-actionmailer< 2:4.2.7.1-1+deb9u1ruby-actionmailer_2:4.2.7.1-1+deb9u1_all.deb
Debian9allruby-activesupport< 2:4.2.7.1-1+deb9u1ruby-activesupport_2:4.2.7.1-1+deb9u1_all.deb
Debian9allruby-activerecord< 2:4.2.7.1-1+deb9u1ruby-activerecord_2:4.2.7.1-1+deb9u1_all.deb
Debian8allruby-activesupport-2.3< 2:4.1.8-1+deb8u5ruby-activesupport-2.3_2:4.1.8-1+deb8u5_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	ruby-railties	< 2:4.1.8-1+deb8u5	ruby-railties_2:4.1.8-1+deb8u5_all.deb
Debian	9	all	ruby-activemodel	< 2:4.2.7.1-1+deb9u1	ruby-activemodel_2:4.2.7.1-1+deb9u1_all.deb
Debian	8	all	ruby-activesupport	< 2:4.1.8-1+deb8u5	ruby-activesupport_2:4.1.8-1+deb8u5_all.deb
Debian	8	all	rails	< 2:4.1.8-1+deb8u5	rails_2:4.1.8-1+deb8u5_all.deb
Debian	8	all	ruby-actionmailer	< 2:4.1.8-1+deb8u5	ruby-actionmailer_2:4.1.8-1+deb8u5_all.deb
Debian	9	all	ruby-actionview	< 2:4.2.7.1-1+deb9u1	ruby-actionview_2:4.2.7.1-1+deb9u1_all.deb
Debian	9	all	ruby-actionmailer	< 2:4.2.7.1-1+deb9u1	ruby-actionmailer_2:4.2.7.1-1+deb9u1_all.deb
Debian	9	all	ruby-activesupport	< 2:4.2.7.1-1+deb9u1	ruby-activesupport_2:4.2.7.1-1+deb9u1_all.deb
Debian	9	all	ruby-activerecord	< 2:4.2.7.1-1+deb9u1	ruby-activerecord_2:4.2.7.1-1+deb9u1_all.deb
Debian	8	all	ruby-activesupport-2.3	< 2:4.1.8-1+deb8u5	ruby-activesupport-2.3_2:4.1.8-1+deb8u5_all.deb