-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : rails Version : 2:4.1.8-1+deb8u5 CVE ID : CVE-2019-5418 CVE-2019-5419 Debian Bug : 924520
John Hawthorn of Github discovered a file content disclosure vulnerability in Rails, a ruby based web application framework. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. This vulnerability could also be exploited for a denial-of-service attack. For Debian 8 "Jessie", these problems have been fixed in version 2:4.1.8-1+deb8u5. We recommend that you upgrade your rails packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlygxcpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeR00g/+Nu/1PQI0LAcjuGZD2D6UvJ02cKv6vEJ8kyO3k7upjkGMlXsK+KnXKFrW H4n1oljsKd0KEKF/5w5eTs299sj1jXBOR/Xtq1AxH1z/RQaULGLqFf0yPF5+aHrJ 0mACiLGPIqwbSymT1nz6Gemt6rXo9b6PUnCxqj2lu5k7t4t9Al1kRwArBr4tzwaW c3tqAIER8HC/8AkdFFZipVBdIbgi0xDjlpfWbvD/sqdjKgM70JsxxTLOjXZlS03R wWoRuO+KXosjRaCC/hxsYMb+jg31XULqfVCQnwdihPQuL/sGIsLU4uduG5XIgp2y GOV3bVqaQNZPZKDGR4obtNUU6CCSntqjL8jS5H7XTjjrgoEOnlC5M3x6EVxtNO8t 6+Pn7acQ3KO40O2iXa5dRdOURaKAVPBg80W+ePEkgjYpBxBDYMDioMlacg7eXlIg P2poEUFb9DLOrZJi9Qi24VnVuH/QJl7/K++t7Ed2IVLJEgvtLUnm4i4Y86n7kSn0 UKAIKvIwKMfdmyLuuUZzHDWbFXhYiERW7l0LQoqRcGvw14OsGdj+nUb18cIv3EYS pW8kSGDw3CQbQa+rklxDUg4EvikwcJ0ixuYfYZXoQX5ey6LAK2CxjuqnBNsEOAAO REu759u1S0m2i9vwg0SHGU9J9ShrMZSPPHFkHGvqM9ZMJp9VlRY= =cKL4 -----END PGP SIGNATURE-----
