#971988 - rails: CVE-2020-8264 - Debian Bug report logs

Debian Bug report logs - #971988
rails: CVE-2020-8264

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 11 Oct 2020 08:15:01 UTC

Severity: normal

Tags: fixed-upstream, security, upstream

Found in version rails/2:6.0.3.3+dfsg-1

Fixed in version rails/2:6.0.3.4+dfsg-1

Done: Utkarsh Gupta <utkarsh@debian.org>

Bug is archived. No further changes may be made.

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#971988; Package src:rails. (Sun, 11 Oct 2020 08:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sun, 11 Oct 2020 08:15:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: rails Version: 2:6.0.3.3+dfsg-1 Severity: normal Tags: security upstream fixed-upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for rails. CVE-2020-8264[0]: | Possible XSS Vulnerability in Action Pack in Development Mode If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8264 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8264 [1] https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ Regards, Salvatore

Reply sent to Utkarsh Gupta <utkarsh@debian.org>:
You have taken responsibility. (Sun, 11 Oct 2020 19:57:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 11 Oct 2020 19:57:05 GMT) (full text, mbox, link).

Message #10 received at 971988-close@bugs.debian.org (full text, mbox, reply):

Source: rails Source-Version: 2:6.0.3.4+dfsg-1 Done: Utkarsh Gupta <utkarsh@debian.org> We believe that the bug you reported is fixed in the latest version of rails, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 971988@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta <utkarsh@debian.org> (supplier of updated rails package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 12 Oct 2020 00:28:24 +0530 Source: rails Architecture: source Version: 2:6.0.3.4+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org> Changed-By: Utkarsh Gupta <utkarsh@debian.org> Closes: 971988 Changes: rails (2:6.0.3.4+dfsg-1) unstable; urgency=medium . * New upstream version 6.0.3.4+dfsg - Fix a possible XSS vulnerability in Action Pack in Development Mode. (Fixes: CVE-2020-8264) (Closes: #971988) Checksums-Sha1: 22aeeb1b95868abd5bbdce118ed7f9d8d80c3042 5227 rails_6.0.3.4+dfsg-1.dsc 5ce3bfca703943673913e69f32769cb4e6041415 13966328 rails_6.0.3.4+dfsg.orig.tar.xz 00afdab880e258a1b7df38c532808cacf11eba22 97100 rails_6.0.3.4+dfsg-1.debian.tar.xz 6ee8c28e691484ff68295129493a2f15e9fddc81 34265 rails_6.0.3.4+dfsg-1_source.buildinfo Checksums-Sha256: f436c60d2af6f735c710ffd68c0f3c371bfa52a22e6489483e8c658c32d08e92 5227 rails_6.0.3.4+dfsg-1.dsc 73b6c05806edbe7dd25959669c78c0a13053b90e53d01b9f6d63d40857dfeb40 13966328 rails_6.0.3.4+dfsg.orig.tar.xz 448d22b015bb5014bcabe9ccc147c21702a6edd38770d7889361237e042b315d 97100 rails_6.0.3.4+dfsg-1.debian.tar.xz ea2a87cd6a82b48b6f96ead16765e33bdcbbc2d6b794fffe0335f8d57eac31d6 34265 rails_6.0.3.4+dfsg-1_source.buildinfo Files: ca95bcf9254c3d4a6da8da52d59812bf 5227 ruby optional rails_6.0.3.4+dfsg-1.dsc 961d769f3d38eeba409ba854af34afb2 13966328 ruby optional rails_6.0.3.4+dfsg.orig.tar.xz a2532a1604f57a0b3602028fbeabcafd 97100 ruby optional rails_6.0.3.4+dfsg-1.debian.tar.xz a4d3fd6263190ba009cb41de298518cb 34265 ruby optional rails_6.0.3.4+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl+DXdsTHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlv4xD/9C6/2AggeQzg+P0vc9JRJlaCIzSrYM u20fjk0qIwu6TBUT2OI07k95Kbnc86wEGYvzFC4hKYqRuU+r1qticgzJWfeo1nDD WD+IXmViq+t868nD8AwnfyTeWloFpW1e3iI0HGLPDaEXZTuBWQNRq62eGp8jJl8K 3Cm8K7lRbWhnvyDcr40wXBC7YEv3xAxdhJxe7GVlCKbvwFrEiiH695u/L1m+iSSX r+YwXt9JJEyjG34OQ+xts75gmqdQkSK9NXMOzeYOwI/uo1ItdWQxEU9fMVN+Us8o /ubMkXKH8/kmtZH0p434fiur3rXz4dnULEGe159M352nYCCJHbWlNZQX1e4S0fK7 RUdeZGoJnqwzgn9qIDCaq4C9BHaa9+OWP3KSlbJLodY65WMXX3UZB2WVVe9kQISL +tyDHcm1nvjhcYN0aoOFK8+bMzA+uKGU2NvBgilzWRqa+X328bab3o0TlupP+OY3 MVQWd3VpKgG1ehK3PBpqoqxOu3yV6ANuhZBS2xiPVc3/VVrn9GQaCS1x3Nur9fru /4SEmkK4mPVFjfTb4bvO+YoFOlhRbh7+jARKN+t1rW6ox63oWO5l/XOKpsFdyZXv 7WQwFD1O9wnYw/fXe7pMJynmriUzkoT3YuxqdyZQZdmfv55dqrIw0mXbmdKLpCTh ZAsYZiDS3SvNUA== =Sawd -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 Nov 2020 07:28:09 GMT) (full text, mbox, link).

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Oct 8 03:05:19 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #971988 rails: CVE-2020-8264

Debian Bug report logs - #971988
rails: CVE-2020-8264