Your message dated Wed, 05 Mar 2025 09:35:41 +0000
with message-id <[email protected]>
and subject line Bug#1065119: fixed in rails 2:7.2.2.1+dfsg-1
has caused the Debian Bug report #1065119,
regarding rails: CVE-2024-26144
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1065119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065119
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rails
Version: 2:6.1.7.3+dfsg-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rails.
CVE-2024-26144[0]:
| Rails is a web-application framework. Starting with version 5.2.0,
| there is a possible sensitive session information leak in Active
| Storage. By default, Active Storage sends a Set-Cookie header along
| with the user's session cookie when serving blobs. It also sets
| Cache-Control to public. Certain proxies may cache the Set-Cookie,
| leading to an information leak. The vulnerability is fixed in
| 7.0.8.1 and 6.1.7.7.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-26144
https://www.cve.org/CVERecord?id=CVE-2024-26144
[1]
https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rails
Source-Version: 2:7.2.2.1+dfsg-1
Done: Utkarsh Gupta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 05 Mar 2025 14:28:20 +0530
Source: rails
Built-For-Profiles: noudeb
Architecture: source
Version: 2:7.2.2.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 1051057 1051058 1065119 1072705 1085376
Changes:
rails (2:7.2.2.1+dfsg-1) unstable; urgency=medium
.
[ Utkarsh Gupta ]
* Reupload to unstable.
- Fixes CVE-2023-38037, CVE-2023-28362, CVE-2024-26144, CVE-2024-28103,
CVE-2024-47889, CVE-2024-47888, CVE-2024-47887, CVE-2024-41128.
- Closes: #1051057, #1051058, #1065119, #1072705, #1085376.
* No-change rebuild for unstable.
.
[ Antonio Terceiro ]
* autopkgtest: newapp: adapt to new rails version.
Checksums-Sha1:
b8f0226f7a05e4ba4419eab922b22a98a23a84c4 4861 rails_7.2.2.1+dfsg-1.dsc
43e79c8c2770a2d945517eb33cdfd8892fd1cd44 8049500 rails_7.2.2.1+dfsg.orig.tar.xz
bb677af1664ef111ac5efdc92d133c4768c2cd11 102544
rails_7.2.2.1+dfsg-1.debian.tar.xz
98ea41ebeffeb16473b464cfbcc82cb3fe886ecb 15148
rails_7.2.2.1+dfsg-1_source.buildinfo
Checksums-Sha256:
354d8653a46a8fbb1b8e6f4869065603fad4f6ad93348d8c99c70f54295d79d4 4861
rails_7.2.2.1+dfsg-1.dsc
32c5bbf63c6b4f381d6caaca29babae92831cd6d99b6410065e80a569de808c1 8049500
rails_7.2.2.1+dfsg.orig.tar.xz
9ff896352719e425d6c573af10ef19a8f3d328106bc0003cc179dc26836c299d 102544
rails_7.2.2.1+dfsg-1.debian.tar.xz
224356125276a8112bccdc5de6b78845e263e92a2cd5fa7e178a816099cff8a5 15148
rails_7.2.2.1+dfsg-1_source.buildinfo
Files:
623523dd6d8d1bf2778529bb908140ce 4861 ruby optional rails_7.2.2.1+dfsg-1.dsc
9c25f24dc3ed1daf8bd5a3f4ec5a7f6b 8049500 ruby optional
rails_7.2.2.1+dfsg.orig.tar.xz
a4df2f1d6556a0d429f4cc365c44d6e7 102544 ruby optional
rails_7.2.2.1+dfsg-1.debian.tar.xz
c5fcc968aa6fc2eb16858fd50239740c 15148 ruby optional
rails_7.2.2.1+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmfIFjsTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlgBNEACR9D+fuaHc1iodneNChwOs3FFX8LQR
MAN2iiwS9UQ8csSz4AiglfuPFj1Q7eT0ZPkhEoJHgmZrE90n66qEzBnkjE6r6zFu
nc8ckYLpqrNGBAEfvSzrW7KzpHFhGpCsFe1c93lGmHn+a34jy2aG7RQeqBHAz/TP
L5xNh83q4C/H6b03fSqEPNUblg2H6lls2YHULmsl2iJN91DVawhe7/r715ZqRzqQ
FOW6DvJ+/WU19/kMs+UPchy3yZg+KKZ0Jd/Pr1JFHdP+LIgbP8BiYxno1D5CpXuE
pp/7jM/fjbFjGAgypuEW/nSKLLKJIKqjTWmcA2nxe2oJg8/xDuCUOJZSltHdek4x
oPUk9bn3Colo9t0aBjaXwkZggIQW3B15g4RZptLk88kz0c8eajptT5EP/ZSmdQ4g
JPH5ZFkojosGMJKsZj4PW7HBvJJfQeBhvtfhjHuwAP7xfbh/+fWswhEO9PUmy2Qu
6orePbQYOuv2dZo9MeFTN+6rCw0K1ZyR7ZBykO+rU7sKQb0XpToSKaHGJRL5dlMe
R7HAqBnEf2lEYZfV5Oo6IzaI882BaQlzBoUmU1ScWaAclwWR6DuYJYkymA2dju3l
tx4UNwaQUEFGKEXjf+ZDSCyGeiZTVjOZOX/m6T5lXg9oU76CRf0TnegfKB68y7X8
sSaUM9LXun0JGQ==
=RaP9
-----END PGP SIGNATURE-----
pgpWmSCNoUDRx.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
