Your message dated Wed, 05 Mar 2025 09:35:41 +0000
with message-id <[email protected]>
and subject line Bug#1085376: fixed in rails 2:7.2.2.1+dfsg-1
has caused the Debian Bug report #1085376,
regarding rails: CVE-2024-47889 CVE-2024-47888 CVE-2024-47887 CVE-2024-41128
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1085376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rails
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for rails.
CVE-2024-47889[0]:
| Action Mailer is a framework for designing email service layers.
| Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5,
| 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the
| block_format helper in Action Mailer. Carefully crafted text can
| cause the block_format helper to take an unexpected amount of time,
| possibly resulting in a DoS vulnerability. All users running an
| affected release should either upgrade to versions 6.1.7.9, 7.0.8.5,
| 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a
| workaround, users can avoid calling the `block_format` helper or
| upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so
| Rails applications using Ruby 3.2 or newer are unaffected. Rails
| 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.
https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
CVE-2024-47888[1]:
| Action Text brings rich text content and editing to Rails. Starting
| in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1,
| and 7.2.1.1, there is a possible ReDoS vulnerability in the
| `plain_text_for_blockquote_node helper` in Action Text. Carefully
| crafted text can cause the `plain_text_for_blockquote_node` helper
| to take an unexpected amount of time, possibly resulting in a DoS
| vulnerability. All users running an affected release should either
| upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply
| the relevant patch immediately. As a workaround, users can avoid
| calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2.
| Ruby 3.2 has mitigations for this problem, so Rails applications
| using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on
| Ruby 3.2 or greater so is unaffected.
https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
CVE-2024-47887[2]:
| Action Pack is a framework for handling and responding to web
| requests. Starting in version 4.0.0 and prior to versions 6.1.7.9,
| 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS
| vulnerability in Action Controller's HTTP Token authentication. For
| applications using HTTP Token authentication via
| `authenticate_or_request_with_http_token` or similar, a carefully
| crafted header may cause header parsing to take an unexpected amount
| of time, possibly resulting in a DoS vulnerability. All users
| running an affected release should either upgrade to versions
| 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch
| immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2
| has mitigations for this problem, so Rails applications using Ruby
| 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2
| or greater so is unaffected.
https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545
CVE-2024-41128[3]:
| Action Pack is a framework for handling and responding to web
| requests. Starting in version 3.1.0 and prior to versions 6.1.7.9,
| 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS
| vulnerability in the query parameter filtering routines of Action
| Dispatch. Carefully crafted query parameters can cause query
| parameter filtering to take an unexpected amount of time, possibly
| resulting in a DoS vulnerability. All users running an affected
| release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1,
| or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby
| 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so
| Rails applications using Ruby 3.2 or newer are unaffected. Rails
| 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-47889
https://www.cve.org/CVERecord?id=CVE-2024-47889
[1] https://security-tracker.debian.org/tracker/CVE-2024-47888
https://www.cve.org/CVERecord?id=CVE-2024-47888
[2] https://security-tracker.debian.org/tracker/CVE-2024-47887
https://www.cve.org/CVERecord?id=CVE-2024-47887
[3] https://security-tracker.debian.org/tracker/CVE-2024-41128
https://www.cve.org/CVERecord?id=CVE-2024-41128
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: rails
Source-Version: 2:7.2.2.1+dfsg-1
Done: Utkarsh Gupta <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <[email protected]> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 05 Mar 2025 14:28:20 +0530
Source: rails
Built-For-Profiles: noudeb
Architecture: source
Version: 2:7.2.2.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Utkarsh Gupta <[email protected]>
Closes: 1051057 1051058 1065119 1072705 1085376
Changes:
rails (2:7.2.2.1+dfsg-1) unstable; urgency=medium
.
[ Utkarsh Gupta ]
* Reupload to unstable.
- Fixes CVE-2023-38037, CVE-2023-28362, CVE-2024-26144, CVE-2024-28103,
CVE-2024-47889, CVE-2024-47888, CVE-2024-47887, CVE-2024-41128.
- Closes: #1051057, #1051058, #1065119, #1072705, #1085376.
* No-change rebuild for unstable.
.
[ Antonio Terceiro ]
* autopkgtest: newapp: adapt to new rails version.
Checksums-Sha1:
b8f0226f7a05e4ba4419eab922b22a98a23a84c4 4861 rails_7.2.2.1+dfsg-1.dsc
43e79c8c2770a2d945517eb33cdfd8892fd1cd44 8049500 rails_7.2.2.1+dfsg.orig.tar.xz
bb677af1664ef111ac5efdc92d133c4768c2cd11 102544
rails_7.2.2.1+dfsg-1.debian.tar.xz
98ea41ebeffeb16473b464cfbcc82cb3fe886ecb 15148
rails_7.2.2.1+dfsg-1_source.buildinfo
Checksums-Sha256:
354d8653a46a8fbb1b8e6f4869065603fad4f6ad93348d8c99c70f54295d79d4 4861
rails_7.2.2.1+dfsg-1.dsc
32c5bbf63c6b4f381d6caaca29babae92831cd6d99b6410065e80a569de808c1 8049500
rails_7.2.2.1+dfsg.orig.tar.xz
9ff896352719e425d6c573af10ef19a8f3d328106bc0003cc179dc26836c299d 102544
rails_7.2.2.1+dfsg-1.debian.tar.xz
224356125276a8112bccdc5de6b78845e263e92a2cd5fa7e178a816099cff8a5 15148
rails_7.2.2.1+dfsg-1_source.buildinfo
Files:
623523dd6d8d1bf2778529bb908140ce 4861 ruby optional rails_7.2.2.1+dfsg-1.dsc
9c25f24dc3ed1daf8bd5a3f4ec5a7f6b 8049500 ruby optional
rails_7.2.2.1+dfsg.orig.tar.xz
a4df2f1d6556a0d429f4cc365c44d6e7 102544 ruby optional
rails_7.2.2.1+dfsg-1.debian.tar.xz
c5fcc968aa6fc2eb16858fd50239740c 15148 ruby optional
rails_7.2.2.1+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmfIFjsTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlgBNEACR9D+fuaHc1iodneNChwOs3FFX8LQR
MAN2iiwS9UQ8csSz4AiglfuPFj1Q7eT0ZPkhEoJHgmZrE90n66qEzBnkjE6r6zFu
nc8ckYLpqrNGBAEfvSzrW7KzpHFhGpCsFe1c93lGmHn+a34jy2aG7RQeqBHAz/TP
L5xNh83q4C/H6b03fSqEPNUblg2H6lls2YHULmsl2iJN91DVawhe7/r715ZqRzqQ
FOW6DvJ+/WU19/kMs+UPchy3yZg+KKZ0Jd/Pr1JFHdP+LIgbP8BiYxno1D5CpXuE
pp/7jM/fjbFjGAgypuEW/nSKLLKJIKqjTWmcA2nxe2oJg8/xDuCUOJZSltHdek4x
oPUk9bn3Colo9t0aBjaXwkZggIQW3B15g4RZptLk88kz0c8eajptT5EP/ZSmdQ4g
JPH5ZFkojosGMJKsZj4PW7HBvJJfQeBhvtfhjHuwAP7xfbh/+fWswhEO9PUmy2Qu
6orePbQYOuv2dZo9MeFTN+6rCw0K1ZyR7ZBykO+rU7sKQb0XpToSKaHGJRL5dlMe
R7HAqBnEf2lEYZfV5Oo6IzaI882BaQlzBoUmU1ScWaAclwWR6DuYJYkymA2dju3l
tx4UNwaQUEFGKEXjf+ZDSCyGeiZTVjOZOX/m6T5lXg9oU76CRf0TnegfKB68y7X8
sSaUM9LXun0JGQ==
=RaP9
-----END PGP SIGNATURE-----
pgpCaG2Ingn59.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
