-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2403-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany October 09, 2020 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : rails Version : 2:4.2.7.1-1+deb9u4 CVE ID : CVE-2020-15169 Debian Bug : 970040 A potential Cross-Site Scripting (XSS) vulnerability was found in rails, a ruby based MVC framework. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. For Debian 9 stretch, this problem has been fixed in version 2:4.2.7.1-1+deb9u4. We recommend that you upgrade your rails packages. For the detailed security status of rails please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rails Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl+AqgBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeR0LA/+Ptd34aOaPRYM4CDl/GQTpZLpL/92mnN/hf69y4I9Z4rKoNq3YyzLFWva TVqs+Zv2DwBPhdUivihmgLe5vQEkIvyGMLKMpeAZfehlreATGomjuqc61WEAb70h ux2ULLd7t5ICqPS0c0pILbXCcvRjvxu40tk7CvXNiC5thoDWLPCyEXCSI/4676eL k7SN2oZtRXyk9MBlLU1idDDrYnJ+INrQdDWfAHM24ok2D49oo5WsoqVOG5Fvo09I v714jKZTBRZn33SCEZOnKK0RPnXoFKV89wMRONPLvxD7KBdeSNN0TcP2LUOZKipr 0WGZui7GcxJYiuf6FpRVqQ/dI467Q+80pYmBPZmbssESSrlGAHPjgURa3mVeZim5 OFXzj1Q7G8Wc5JvthGkDoOWE7zqKT5j5wFjqC7f0jH74qx1TOKhwd3qV7GLTF7Hy 7b45ICYDaTlbm2+kD6gpn7xVuPGdd4avNfxYYOGKNHZmmymy4YpvTwhjvDI1n0qx D0gjYEG8SQyQ+kHH7Un+7J+RBKFcfMCMNpmrEtB/bZAIc2oEIJI6EodWVGp9wZgM Xaxpg0MAyQY7QKwzG9lodZCvkhqumAu/bugtrvO2CSRtf43fH+p6gXUDKpo6aFT+ rbO3Sh90P2A4xh6H522SsBqkqMx8gAu6tGazPRtIk80U37zA8kQ= =QUA6 -----END PGP SIGNATURE-----
