Debian Bug report logs -
#1011941
rails: CVE-2022-22577 - XSS Vulnerability in Action Pack
Reported by: Neil Williams <codehelp@debian.org>
Date: Fri, 27 May 2022 11:57:01 UTC
Severity: important
Tags: security, upstream
Found in versions rails/2:5.2.2.1+dfsg-1+deb10u3, rails/2:5.2.2.1+dfsg-1, rails/2:6.0.3.7+dfsg-2, rails/2:6.1.4.6+dfsg-2
Fixed in version rails/2:6.1.6.1+dfsg-1
Done: Gabriela Pivetta <gpivetta99@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, codehelp@debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#1011941; Package src:rails.
(Fri, 27 May 2022 11:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>:
New Bug report received and forwarded. Copy sent to codehelp@debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Fri, 27 May 2022 11:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rails
Version: 2:6.1.4.6+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for rails.
CVE-2022-22577[0]:
| An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that
| could allow an attacker to bypass CSP for non HTML like responses.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-22577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.17.0-2-amd64 (SMP w/6 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Marked as found in versions rails/2:6.0.3.7+dfsg-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 27 May 2022 19:33:03 GMT) (full text, mbox, link).
Marked as found in versions rails/2:5.2.2.1+dfsg-1+deb10u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 27 May 2022 19:33:03 GMT) (full text, mbox, link).
Marked as found in versions rails/2:5.2.2.1+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 27 May 2022 19:33:03 GMT) (full text, mbox, link).
Reply sent
to Gabriela Pivetta <gpivetta99@gmail.com>:
You have taken responsibility.
(Tue, 23 Aug 2022 19:09:03 GMT) (full text, mbox, link).
Notification sent
to Neil Williams <codehelp@debian.org>:
Bug acknowledged by developer.
(Tue, 23 Aug 2022 19:09:03 GMT) (full text, mbox, link).
Message #16 received at 1011941-close@bugs.debian.org (full text, mbox, reply):
Source: rails
Source-Version: 2:6.1.6.1+dfsg-1
Done: Gabriela Pivetta <gpivetta99@gmail.com>
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1011941@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gabriela Pivetta <gpivetta99@gmail.com> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 18 Aug 2022 15:46:46 -0300
Source: rails
Architecture: source
Version: 2:6.1.6.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Gabriela Pivetta <gpivetta99@gmail.com>
Closes: 1011941 1016140 1016982
Changes:
rails (2:6.1.6.1+dfsg-1) unstable; urgency=medium
.
[ Pirate Praveen ]
* Remove <!nocheck> build profile from runtime dependencies.
.
[ Utkarsh Gupta ]
* New upstream version 6.1.6.1+dfsg. (Fixes: CVE-2022-22577,
CVE-2022-27777, CVE-2022-32224) (Closes: #1011941, #1016982, #1016140)
* d/control: Update minimum version of ruby-selenium-webdriver to 4.0.0
for autopkgtest. :)
.
[ Gabriela Pivetta ]
* d/p/activerecord-add-missing-require-statements.patch: Drop
patch that has been merged upstream.
* d/patches: Refresh patches.
Checksums-Sha1:
f4dc127f282f34879bbcf2a5755668e0a72c586a 4798 rails_6.1.6.1+dfsg-1.dsc
e715921994f93ed9f2cb4f4ce5925628e15d4519 8173652 rails_6.1.6.1+dfsg.orig.tar.xz
252352526d551285d44dbee7b4f4f69fa76fa058 101584 rails_6.1.6.1+dfsg-1.debian.tar.xz
5a5e0478cd61d571e5d11d90b07774066e94d89a 14728 rails_6.1.6.1+dfsg-1_source.buildinfo
Checksums-Sha256:
8d507d77b39212eabc415e7d0598ae4d0412541dd207423cf824f1ab266678b9 4798 rails_6.1.6.1+dfsg-1.dsc
6d17ff42c877d7490a6e832f1dc540178bc9203083d7a487a2d6ce809adb1b10 8173652 rails_6.1.6.1+dfsg.orig.tar.xz
7967178486539c5c3105253bcdb9ffb0b11a6cf0abb0cf4e113073612bc0f7c1 101584 rails_6.1.6.1+dfsg-1.debian.tar.xz
e99aa9f9aedccc59a88562a4af6f407dd4cc57730d082229832f0e56e394b242 14728 rails_6.1.6.1+dfsg-1_source.buildinfo
Files:
837d10aac534854f5302931b68376a9a 4798 ruby optional rails_6.1.6.1+dfsg-1.dsc
8eb8019844e018cf1e1356c3fbab51c9 8173652 ruby optional rails_6.1.6.1+dfsg.orig.tar.xz
787e0c20b8d27ba0e5a24f7f98c87583 101584 ruby optional rails_6.1.6.1+dfsg-1.debian.tar.xz
c325a6a49df70054ef8bda47c034ce1e 14728 ruby optional rails_6.1.6.1+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmMFHdkACgkQgj6WdgbD
S5YDiBAAxo9hLFbfh3mQJCRbFpuEXnMUfq584G/hyg6mRuE8rU2SkoTe0NvTNp8p
5rVeepxnFH+yUnb8Br8BTtTi6kaFf3yBUcJi29zLO5BeEFj6V1gZECa+DVztpGgN
1djhCDYKVB7lYXx5rCAVU8TurjPXhXnQ3XO6958UE1renItAv/B3KHZY/gd8XzFw
z2EYXV5Hd4vo9KSWGiaG/RWD8AJajICs/IqjDNHyNGepvhR+6o3Jtor/1ZHRTdIE
IUqVtq8XQDvvuk+Z+NPqkEVXwLELg/H8nNyJGzSTrks4szG5ZyB7toziArV4Q0Dg
t5bm7Fp9N1flyat2zLTgkH9yteEA56f91Z5wrZeRNMNvAUtGtXmOQGQsgpWriwWL
jc+JsCWF+iMmJLmoJfEvNRY8uHp9wlh0xQ2U/CPE23Mu8xz3ZHJv67YPHs7Cxvb1
+BGuM/xVu7kd9iMiYpKImqoj54Rf1WVEOF5LDmQ3s7EomgAgte8Iy3p5zX/AK73o
HbVPwJS5jKOS1b6cA2ejDX2mEnenv/mLFtjWHME4uaBHhn2F7j1/l5SRfPDINerO
DX+xC1TkNAsHS/rdn8u0+iONcLPgonWhMl8spzgY7ZydA6YtdsOEIX+8oowlWLTo
Kwv8dxj4+O3syXhb9qRP7M7xICyVeRP1DoGqD9Tc02ASnP9vrrY=
=SPww
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 14 Oct 2022 07:25:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Oct 8 03:08:28 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.