Source: rails
Version: 2:6.1.7+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/rails/rails/issues/46244
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for rails.
CVE-2022-3704[0]:
| A vulnerability classified
Source: ruby3.1
Version: 3.1.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: clone -1 -2
Control: reassign -2 src:ruby3.0 3.0.4-8
Control: retitle -2 ruby3.0: CVE-2021-33621
Hi,
The following vulnerability was published for ruby.
CV
Source: ruby-sinatra
Version: 2.2.2-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-sinatra.
CVE-2022-45442[0]:
| Sinatra is a domain-specific language for creating web applications in
| Ruby.
Source: ruby-rack
Version: 2.2.4-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerabilities were published for ruby-rack.
CVE-2022-44570[0]:
| rack: Fix ReDoS in Rack::Utils.get_byte_ranges
CVE-2022-44571[1]:
| rack: Fix Re
Source: ruby-globalid
Version: 0.6.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-globalid.
CVE-2023-22799[0]:
| Possible ReDoS based DoS vulnerability in GlobalID
If you fix the vulne
pload.
+ * Update tests to remove deprecated minitest 'must_be'
+ * Forcibly escape content in "unescaped text" elements inside math or svg
+namespaces
+ * Always remove `` elements (CVE-2023-23627) (Closes: #1030047)
+
+ -- Salvatore Bonaccorso Mon, 20 Feb 2023 20:28:45 +0100
Source: ruby-rack
Version: 2.2.4-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-rack.
CVE-2023-27530[0]:
| A DoS vulnerability exists in Rack
Source: rails
Version: 2:6.1.7+dfsg-3
Severity: important
X-Debbugs-Cc: car...@debian.org
Hi,
The following vulnerability was published for rails.
CVE-2023-28120[0]:
| Possible XSS Security Vulnerability in SafeBuffer#bytesplice
If you fix the vulnerability please also make sure to include the
Source: rails
Version: 2:6.1.7+dfsg-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for rails.
CVE-2023-23913[0]:
| DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML
| Elements
Source: ruby-rack
Version: 2.2.4-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-rack.
CVE-2023-27539[0]:
| Possible Denial of Service Vulnerability in Rack’s header parsing
If you fix th
Source: rails
Version: 2:6.1.4.1+dfsg-8
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: found -1 2:6.0.3.7+dfsg-2
Hi,
The following vulnerability was published for rails.
CVE-2021-44528[0]:
| Possible Open Redirect in Host Authorization
Source: ruby3.0
Version: 3.0.2-5
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerabilities were published for ruby3.0, they were
fixed upstream in 3.0.3.
CVE-2021-41816[0]:
| Buffer Overrun in CGI.escape_html
CVE-2021-41817[
Source: ruby-sidekiq
Version: 6.3.1+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-sidekiq.
CVE-2022-23837[0]:
| In api.rb in Sidekiq before 6.4.0, there is no limit on the number of
Source: rails
Version: 2:6.1.4.1+dfsg-8
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: found -1 2:6.0.3.7+dfsg-2
Hi,
The following vulnerability was published for rails.
CVE-2022-23633[0]:
| Action Pack is a framework for handling and
Source: puma
Version: 5.5.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for puma.
CVE-2022-23634[0]:
| Puma is a Ruby/Rack web server built for parallelism. Prior to `puma`
| version `5.6.2`, `
Source: ruby-image-processing
Version: 1.10.3-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-image-processing.
CVE-2022-24720[0]:
| image_processing is an image processing wrapper for libvips
Source: ruby-nokogiri
Version: 1.13.1+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-nokogiri.
CVE-2022-24836[0]:
| Nokogiri is an open source XML and HTML library for Ruby. Nokogiri
Source: ruby-git
Version: 1.9.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/ruby-git/ruby-git/pull/569
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-git.
CVE-2022-25648[0]:
| The package git before 1.
Source: ruby3.0
Version: 3.0.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: clone -1 -2
Control: reassign -2 src:ruby2.7 2.7.5-1
Control: retitle -2 ruby2.7: CVE-2022-28739
Hi,
The following vulnerability was published for ruby3.0 (
Source: ruby3.0
Version: 3.0.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby3.0.
CVE-2022-28738[0]:
| Double free in Regexp compilation
If you fix the vulnerability please also make sur
Source: ruby-rails-html-sanitizer
Version: 1.4.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-rails-html-sanitizer.
CVE-2022-32209[0]:
| # Possible XSS Vulnerability in Rails::Html::San
Source: ruby-rack
Source-Version: 2.2.6.4-1
On Sat, Mar 25, 2023 at 02:39:38PM +, Debian FTP Masters wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Format: 1.8
> Date: Fri, 24 Mar 2023 01:32:43 +0530
> Source: ruby-rack
> Architecture: source
> Version: 2.2.6.4-1
> Distributio
Source: rails
Source-Version: 2:6.1.7.3+dfsg-1
Can close with it as well 1033262 and 1033263, doing so manually.
Regards,
Salvatore
On Sat, Mar 25, 2023 at 10:49:26PM +, Debian FTP Masters wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Format: 1.8
> Date: Sat, 25 Mar 2023 23
Hi LTS team,
On Wed, Jun 07, 2023 at 08:44:53AM +0200, Bernhard Schmidt wrote:
> Package: libruby2.5
> Version: 2.5.5-3+deb10u5
> Severity: grave
>
> Hi,
>
> I can't quite figure out why, but the latest security upload of ruby2.5 in
> Buster breaks the ability of the puppet agent to pull files f
Source: ruby3.1
Version: 3.1.2-7
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerabilities were published for ruby3.1.
CVE-2023-28755[0]:
| A ReDoS issue was discovered in the URI component through 0.12.0 in
| Ruby throug
Source: ruby-protocol-http1
Version: 0.14.6-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/socketry/protocol-http1/pull/20
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-protocol-http1.
CVE-2023-38697[0]:
Source: puma
Version: 5.6.5-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: found -1 6.0.2-1
Hi,
The following vulnerability was published for puma.
CVE-2023-40175[0]:
| Puma is a Ruby/Rack web server built for parallelism. Prior to
|
Source: rails
Version: 2:6.1.7.3+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for rails.
CVE-2023-38037[0]:
Active Support Possibly Discloses Locally Encrypted Files
If you fix the vulner
Source: rails
Version: 2:6.1.7.3+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for rails.
CVE-2023-28362[0]:
| Possible XSS via User Supplied Values to redirect_to
If you fix the vulnerabi
Source: redmine
Version: 5.0.4-7
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerabilities were published for redmine.
CVE-2023-47258[0]:
| Redmine before 4.2.11 and 5.0.x before 5.0.6 allows
Source: puma
Version: 5.6.7-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for puma.
CVE-2024-21647[0]:
| Puma is a web server for Ruby/Rack applications built for
| parallelism. Prior to version
Source: puma
Source-Version: 6.4.2-1
On Tue, Jan 09, 2024 at 10:15:07PM +0100, Salvatore Bonaccorso wrote:
> Source: puma
> Version: 5.6.7-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
>
> Hi,
>
> T
Source: ruby-rack-cors
Version: 2.0.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/cyu/rack-cors/issues/274
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-rack-cors.
CVE-2024-27456[0]:
| rack-cors (aka
Source: yard
Version: 0.9.34-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: found -1 0.9.28-2
Control: found -1 0.9.24-1
Hi,
The following vulnerability was published for yard.
CVE-2024-27285[0]:
| YARD is a Ruby Documentation tool.
Source: rails
Version: 2:6.1.7.3+dfsg-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for rails.
CVE-2024-26144[0]:
| Rails is a web-application framework. Starting with version 5.2.0,
| there is a
Source: ruby3.2
Version: 3.2.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: clone -1 -2
Control: reassign -2 src:ruby3.1 3.1.2-8
Control: retitle -2 ruby3.1: CVE-2024-27281
Control: found -2 3.1.2-7
Hi,
The following vulnerability w
Source: ruby-carrierwave
Version: 1.3.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-carrierwave.
CVE-2023-49090[0]:
| CarrierWave is a solution for file uploads for Rails, Sinatra and
Source: ruby3.1
Version: 3.1.2-8
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: found -1 3.1.2-7
Hi,
The following vulnerability was published for ruby3.1.
CVE-2024-27280[0]:
| Buffer overread vulnerabilit
Source: ruby3.2
Version: 3.2.3-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: clone -1 -2
Control: reassign -2 src;ruby3.1 3.1.2-8
Control: retitle -2 ruby3.1: CVE-2024-27282
Control: found -2 3.1.2-7
Hi,
Package: ruby-sidekiq
Version: 7.2.1+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
The following vulnerability was published for ruby-sidekiq.
It only affects the experimental version, as the issue was intro
Source: ruby-carrierwave
Version: 1.3.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-carrierwave.
CVE-2021-21305[0]:
| CarrierWave is an open-source RubyGem which provides a simple and
Source: ruby-carrierwave
Version: 1.3.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-carrierwave.
CVE-2021-21288[0]:
| CarrierWave is an open-source RubyGem which provides a simple and
Source: ruby-kramdown
Version: 2.3.0-4
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/gettalong/kramdown/pull/708
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-kramdown.
CVE-2
Hi,
On Sat, Apr 17, 2021 at 10:34:24PM +0530, Pirate Praveen wrote:
>
>
> On Sat, Apr 17, 2021 at 10:16 pm, Utkarsh Gupta wrote:
> > Makes sense. Probably the time to RM ruby-rexml from the archive is
> > *now*?
>
> Requested removal from archive in #987101
Thanks for filling the removal!
I
Hi Pirate,
On Sun, Apr 18, 2021 at 10:26:31PM +0530, Pirate Praveen wrote:
> On Sun, 18 Apr 2021 15:04:56 +0200 Salvatore Bonaccorso
> wrote:
> > Hi,
> >
> > On Sat, Apr 17, 2021 at 10:34:24PM +0530, Pirate Praveen wrote:
> > >
> > >
> > > On Sa
Hi Andreas,
On Wed, May 05, 2021 at 09:57:09PM +0200, Andreas Beckmann wrote:
> Followup-For: Bug #964274
>
> Hi,
>
> CVE-2020-7663 is fixed in stretch-security but not buster, making
> upgrades difficult since stetch-security has a newer version than buster.
> Please upload the fix to buster, t
Source: puma
Version: 4.3.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for puma, it is caused due
to an incomplete fix for CVE-2019-16770.
CVE-2021-29509[0]:
| Pu
Source: ruby-bindata
Version: 2.4.8-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ruby-bindata.
CVE-2021-32823[0]:
| In the bindata RubyGem before version 2.4.10 there is a potential
| denial
Hi Utkarsh,
On Fri, Jun 18, 2021 at 10:23:39PM +0200, Paul Gevers wrote:
> Hi Utkarsh
>
> On 06-06-2021 06:14, Paul Gevers wrote:
> > I am hoping it's possible to just downgrade the *dependency* in rails
> > only, such that the upload can happen via unstable. There is no "direct
> > bullseye" rou
Source: rails
Version: 2:6.0.3.7+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for rails.
CVE-2021-22942[0]:
| Possible Open Redirect in Host Authorization Middleware
If you fix the vulnera
Hi,
On Tue, Aug 31, 2021 at 09:30:17PM +0530, Pirate Praveen wrote:
> On Sun, 29 Aug 2021 13:05:04 +0200 Axel Beckert wrote:
> > Package: ruby-kramdown
> > Version: 2.3.1-2
> >
> > Hi,
> >
> > aptitude refused to upgrade ruby-kramdown initially, because I have the
> > package "kramdown" installed
Source: redmine
Version: 4.0.7-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for redmine.
CVE-2021-42326[0]:
| Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclo
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
X-Debbugs-Cc:
car...@debian.org,t...@security.debian.org,chrom...@packages.debian.org,mgilb...@debian.org,riku.voi...@linaro.org,mic...@lebihan.pl,pkg-ruby-extras-maintain...@lists.alioth.debian.
Hi,
On Sat, May 26, 2018 at 06:25:40PM +0530, Pirate Praveen wrote:
> On Saturday 26 May 2018 03:34 PM, Simon Vetter wrote:
> > Awesome, thank you for your prompt reply.
> >
> > In the meantime and assuming the fix is in non-compiled code (i.e.
> > ruby), would you mind sharing a patch here so I
Source: open-build-service
Version: 2.7.1-10
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for open-build-service.
CVE-2017-5188[0]:
| The bs_worker code in open build service before 20170320 followed
| relative symlinks,
Source: ruby-rails-admin
Version: 0.8.1+dfsg-3
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://github.com/sferik/rails_admin/issues/2985
Hi,
The following vulnerability was published for ruby-rails-admin.
CVE-2017-12098[0]:
| An exploitable cros
Source: ruby-grape
Version: 1.0.3-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/ruby-grape/grape/issues/1762
Hi,
The following vulnerability was published for ruby-grape.
CVE-2018-3769[0]:
| ruby-grape ruby gem suffers from a cross-site scripting (XSS)
| vulne
pload.
+ * Do not respond to http requests asking for a `file://` (CVE-2018-3760)
+(Closes: #901913)
+
+ -- Salvatore Bonaccorso Thu, 05 Jul 2018 23:29:49 +0200
+
ruby-sprockets (3.7.0-1) unstable; urgency=medium
* Team upload
diff -Nru ruby-sprockets-3.7.0/debian/patches/Do-not-respond-to
Source: open-build-service
Version: 2.7.4-2
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.suse.com/show_bug.cgi?id=1094820
Hi,
The following vulnerability was published for open-build-service.
CVE-2018-7688[0]:
| A missing permission check in the review handling of open
Source: open-build-service
Version: 2.7.4-2
Severity: grave
Tags: security upstream
Forwarded: https://bugzilla.suse.com/show_bug.cgi?id=1094819
Hi,
The following vulnerability was published for open-build-service.
CVE-2018-7689[0]:
| Lack of permission checks in the InitializeDevelPackage funct
Source: ruby-doorkeeper
Version: 4.2.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/doorkeeper-gem/doorkeeper/issues/891
Hi,
The following vulnerability was published for ruby-doorkeeper.
CVE-2018-1000211[0]:
| Doorkeeper version 4.2.0 and later contains a Incorrect Ac
Source: gitlab
Version: 8.9.0+dfsg-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for gitlab.
CVE-2018-14364[0]:
Remote Code Execution Vulnerability in GitLab Projects Import
If you fix the vulnerability please also make sure to include the
CVE (Common V
+ruby-rack-protection (1.5.3-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Moritz Muehlenhoff ]
+ * CVE-2018-1000119 (Closes: #892250)
+
+ -- Salvatore Bonaccorso Fri, 20 Jul 2018 05:52:12 +0200
+
ruby-rack-protection (1.5.3-2) unstable; urgency=medium
* Team upload.
diff
Hi!
On Wed, Jun 13, 2018 at 11:39:07AM +, Debian Bug Tracking System wrote:
> ruby-sanitize (4.6.5-1) experimental; urgency=medium
[...]
>[ Pirate Praveen ]
>* New upstream version 4.6.5 (Closes: #893610) (Fixes: CVE-2018-3740)
Any plans for moving this to unstable, or is anything bl
Hi,
On Tue, Jul 31, 2018 at 03:09:52PM +0530, Pirate Praveen wrote:
> On 29/07/18 12:04 PM, Salvatore Bonaccorso wrote:
> > Any plans for moving this to unstable, or is anything blocking it?
>
> ruby-gollum-lib needs an update along with ruby-sanitize, but this
> ruby-goll
Source: jekyll
Version: 3.8.3+dfsg-3
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/jekyll/jekyll/pull/7224
Control: found -1 3.1.6+dfsg-3
Hi,
The following vulnerability was published for jekyll.
CVE-2018-17567[0]:
| Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.
Hi Andrew,
On Fri, Oct 19, 2018 at 05:43:53PM +0800, Andrew Lee wrote:
> Source: open-build-service
> Followup-For: Bug #903797
>
>
> This seems only for the 2.9.x versions. Our currently version of
> open-build-service is 2.7.4.
Can you shed some light on that? Why would the missing permision
Source: ruby-openssl
Version: 2.1.1-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: clone -1 -2
Control: retitle -2 ruby2.5: CVE-2018-16395: OpenSSL::X509::Name equality check
does not work correctly
Control: reassign -2 ruby2.5 2.5.1-6
Hi,
The followin
Source: ruby2.5
Version: 2.5.1-6
Severity: grave
Tags: patch security upstream
Justification: user security hole
Hi,
The following vulnerability was published for ruby2.5.
CVE-2018-16396[0]:
Tainted flags are not propagated in Array#pack and String#unpack with some
directives
If you fix the vu
Source: ruby-loofah
Version: 2.2.2-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/flavorjones/loofah/issues/154
Hi,
The following vulnerability was published for ruby-loofah.
CVE-2018-16468[0]:
| In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may
Source: ruby-rack
Version: 2.0.5-1
Severity: grave
Tags: patch security upstream
Hi,
The following vulnerability was published for ruby-rack, which is only
affecting experimental version. Filling with RC severity as the
vulernable version should not enter unstable.
CVE-2018-16470[0]:
Possible Do
Source: ruby-rack
Version: 1.6.4-4
Severity: grave
Tags: patch security upstream
Hi,
The following vulnerability was published for ruby-rack.
CVE-2018-16471[0]:
Possible XSS vulnerability in Rack
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exp
Source: ruby-i18n
Version: 0.7.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/svenfuchs/i18n/pull/289
Hi,
The following vulnerability was published for ruby-i18n.
CVE-2014-10077[0]:
| Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0
| for Ruby a
Hi Chris,
On Mon, Nov 19, 2018 at 03:17:27AM -0500, Chris Lamb wrote:
> Chris Lamb wrote:
>
> > Security team, like ruby-i18n, I would be more than happy to prepare
> > and upload a stable security upload of this package when addressing
> > it in jessie LTS.
> […]
> > Ruby team, again, I could ea
Source: gitlab
Version: 10.8.7+dfsg-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for gitlab.
CVE-2018-19359[0]:
Unauthorized service template creation
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Expos
Source: rails
Version: 2:4.2.7.1-1
Severity: important
Tags: patch security upstream
Control: found -1 2:4.2.10-1
Hi,
The following vulnerability was published for rails.
CVE-2018-16476[0]:
Broken Access Control vulnerability in Active Job
If you fix the vulnerability please also make sure to i
Source: rails
Version: 2:5.2.0+dfsg-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for rails, and only
affecting 5.2.0 version.
CVE-2018-16477[0]:
Bypass vulnerability in Active Storage
If you fix the vulnerability please also make sure to include the
CV
Source: gitlab
Version: 11.5.5+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 11.6.0+dfsg-1
Hi,
The following vulnerabilities were published for gitlab, fixed in the
11.6.1, 11.5.6, and 11.4.13 versions, cf [15].
CVE-2018-20488[0]:
Secret CI va
Source: gitlab
Version: 11.5.6+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
Hi,
The following vulnerability was published for gitlab, and fixed in
11.6.4, 11.5.7, and 11.4.14.
CVE-2019-6240[0]:
RESERVED
If you fix the vulnerability please also
Source: gitlab
Version: 11.5.7+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi
See
https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/
for details to the announce and fixes in 11.7.3, 11.6.8, and 11.5.10.
Regards,
Salvatore
__
Source: gitlab
Version: 11.5.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 11.8.0-1
Hi,
The following vulnerabilities were published for gitlab, filling for
tracking purpose.
CVE-2019-9170[0]:
IDOR milestone name information disclosure
CVE
Source: rails
Version: 2:5.2.2+dfsg-6
Severity: important
Tags: security upstream
Control: found -1 2:5.2.2+dfsg-5
Control: found -1 2:4.2.7.1-1
Hi,
The following vulnerabilities were published for rails.
CVE-2019-5418[0]:
File Content Disclosure in Action View
CVE-2019-5419[1]:
Denial of Servi
Source: rails
Version: 2:5.2.2+dfsg-6
Severity: important
Tags: security upstream
Control: found -1 2:5.2.2+dfsg-5
Hi,
The following vulnerability was published for rails.
CVE-2019-5420[0]:
Possible Remote Code Execution Exploit in Rails Development Mode
If you fix the vulnerability please also
3 +1,13 @@
+passenger (5.0.30-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * arbitrary file read via REVISION symlink (CVE-2017-16355)
+(Closes: #884463)
+ * Fix privilege escalation in the Nginx module (CVE-2018-12029)
+(Closes: #921767)
+
+ -- Salvatore Bonaccorso Sat,
* Fix privilege escalation in the Nginx module (CVE-2018-12029)
+(Closes: #921767)
+
+ -- Salvatore Bonaccorso Sat, 16 Mar 2019 08:54:26 +0100
+
passenger (5.0.30-1) unstable; urgency=medium
* New upstream release.
diff -Nru passenger-5.0.30/debian/patches/CVE-2017-16355.patch
passenger-5
Source: ruby-doorkeeper-openid-connect
Version: 1.5.2-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/61
Hi,
The following vulnerability was published for ruby-doorkeeper-openid-connect.
CVE-2019-9837[0]:
| Doorkeeper::Openi
-2017-16355)
+(Closes: #884463)
+ * Fix privilege escalation in the Nginx module (CVE-2018-12029)
+(Closes: #921767)
+
+ -- Salvatore Bonaccorso Sat, 16 Mar 2019 08:54:26 +0100
+
passenger (5.0.30-1) unstable; urgency=medium
* New upstream release.
diff -Nru passenger-5.0.30/debian/pa
Source: gitlab
Version: 11.8.2-3
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for gitlab.
CVE-2019-9866[0]:
Project Runner Token Exposed Through Issues Quick Actions
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabil
Source: ruby-devise
Version: 4.5.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/plataformatec/devise/issues/4981
Hi,
The following vulnerability was published for ruby-devise.
CVE-2019-5421[0]:
| Plataformatec Devise version 4.5.0 and earlier, using the lockable
|
Source: gitlab
Version: 11.8.3-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for gitlab, fixed
upstream in the 11.9.4, 11.8.6, and 11.7.10 releases.
CVE-2018-5158[0]:
| The PDF viewer does not sufficiently sanitize Po
Source: gitlab
Version: 11.8.6+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for gitlab.
CVE-2019-11544[0]:
Notification Emails Sent to Restricted Users
CVE-2019-11546[1]:
Merge Request Approval Count Inflation
Source: gitlab
Version: 11.8.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for gitlab, see [11] for
a complete listing.
CVE-2019-12428[0]:
Mandatory External Authentication Provider Sign-In Restrictions Bypass
Source: ruby-openid
Version: 2.7.0debian-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/openid/ruby-openid/issues/122
Hi,
The following vulnerability was published for ruby-openid.
CVE-2019-11027[0]:
| Ruby OpenID (aka ruby-openid) throu
Hi,
On Fri, Jul 12, 2019 at 03:58:05PM +0200, Moritz Muehlenhoff wrote:
> Package: ruby-mini-magick
> Severity: grave
> Tags: security
>
> Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13574
FTR, for stretch and buster adressed this in DSA 4481-1.
For sid/bullseye might be s
ainer upload.
+ * Don't allow remote shell execution (CVE-2019-13574) (Closes: #931932)
+
+ -- Salvatore Bonaccorso Sat, 13 Jul 2019 21:51:59 +0200
+
ruby-mini-magick (4.9.2-1) unstable; urgency=medium
* Team upload
diff -Nru ruby-mini-magick-4.9.2/debian/patches/Don-t-allow-re
Hey!
On Wed, Jul 24, 2019 at 10:43:40AM +0530, Utkarsh Gupta wrote:
> Hey Salvatore,
>
> On Tue, 16 Jul 2019 21:07:05 + Salvatore Bonaccorso
> wrote:
> > Source: ruby-mini-magick
> > Source-Version: 4.9.2-1+deb10u1
> >
> > We believe that the bug you rep
Source: gitlab
Version: 11.8.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for gitlab, see [9].
CVE-2019-5470[0]:
Information Disclosure Vulnerability Feedback
CVE-2019-5469[1]:
Arbitrary File Upload via Impo
Source: gitlab
Version: 11.8.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for gitlab, another round
of gitlab issues. Where this time only two CVE are affecting the
versions present in Debian.
CVE-2019-14942[
Source: ruby-nokogiri
Version: 1.10.3+dfsg1-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/sparklemotion/nokogiri/issues/1915
Hi,
The following vulnerability was published for ruby-nokogiri.
CVE-2019-5477[0]:
Command Injection Vulnerabil
Hi Mike,
On Fri, Aug 30, 2019 at 11:25:16AM +, Mike Gabriel wrote:
> However, to address CVE-2019-5477 it should also be associated to the
> rexical src:pkg in stretch and later. @security-team: can you please update
> data/CVE/list appropriately (instead of me updating it and you correcting m
1 - 100 of 145 matches
Mail list logo