Your message dated Mon, 13 Apr 2026 18:53:52 +0200
with message-id <[email protected]>
and subject line Re: Accepted rails 2:7.2.3.1+dfsg-1 (source) into unstable
has caused the Debian Bug report #1132035,
regarding CVE-2026-33168 CVE-2026-33169 CVE-2026-33170 CVE-2026-33173
CVE-2026-33174 CVE-2026-33176 CVE-2026-33195 CVE-2026-33202 CVE-2026-33658
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132035: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rails
Version: 2:7.2.3+dfsg-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for rails.
CVE-2026-33168[0]:
| Action View provides conventions and helpers for building web pages
| with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and
| 7.2.3.1, when a blank string is used as an HTML attribute name in
| Action View tag helpers, the attribute escaping is bypassed,
| producing malformed HTML. A carefully crafted attribute value could
| then be misinterpreted by the browser as a separate attribute name,
| possibly leading to XSS. Applications that allow users to specify
| custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and
| 7.2.3.1 contain a patch.
CVE-2026-33169[1]:
| Active Support is a toolkit of support libraries and Ruby core
| extensions extracted from the Rails framework.
| `NumberToDelimitedConverter` uses a lookahead-based regular
| expression with `gsub!` to insert thousands delimiters. Prior to
| versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the
| repeated lookahead group and `gsub!` can produce quadratic time
| complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and
| 7.2.3.1 contain a patch.
CVE-2026-33170[2]:
| Active Support is a toolkit of support libraries and Ruby core
| extensions extracted from the Rails framework. Prior to versions
| 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the
| `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer`
| is mutated in place (e.g. via `gsub!`) and then formatted with `%`
| using untrusted arguments, the result incorrectly reports
| `html_safe? == true`, bypassing ERB auto-escaping and possibly
| leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a
| patch.
CVE-2026-33173[3]:
| Active Storage allows users to attach cloud and local files in Rails
| applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1,
| `DirectUploadsController` accepts arbitrary metadata from the client
| and persists it on the blob. Because internal flags like
| `identified` and `analyzed` are stored in the same metadata hash, a
| direct-upload client can set these flags to skip MIME detection and
| analysis. This allows an attacker to upload arbitrary content while
| claiming a safe `content_type`, bypassing any validations that rely
| on Active Storage's automatic content type identification. Versions
| 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
CVE-2026-33174[4]:
| Active Storage allows users to attach cloud and local files in Rails
| applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when
| serving files through Active Storage's proxy delivery mode, the
| proxy controller loads the entire requested byte range into memory
| before sending it. A request with a large or unbounded Range header
| (e.g. `bytes=0-`) could cause the server to allocate memory
| proportional to the file size, possibly resulting in a DoS
| vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1,
| and 7.2.3.1 contain a patch.
CVE-2026-33176[5]:
| Active Support is a toolkit of support libraries and Ruby core
| extensions extracted from the Rails framework. Prior to versions
| 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept
| strings containing scientific notation (e.g. `1e10000`), which
| `BigDecimal` expands into extremely large decimal representations.
| This can cause excessive memory allocation and CPU consumption when
| the expanded number is formatted, possibly resulting in a DoS
| vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a
| patch.
CVE-2026-33195[6]:
| Active Storage allows users to attach cloud and local files in Rails
| applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1,
| Active Storage's `DiskService#path_for` does not validate that the
| resolved filesystem path remains within the storage root directory.
| If a blob key containing path traversal sequences (e.g. `../`) is
| used, it could allow reading, writing, or deleting arbitrary files
| on the server. Blob keys are expected to be trusted strings, but
| some applications could be passing user input as keys and would be
| affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
CVE-2026-33202[7]:
| Active Storage allows users to attach cloud and local files in Rails
| applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1,
| Active Storage's `DiskService#delete_prefixed` passes blob keys
| directly to `Dir.glob` without escaping glob metacharacters. If a
| blob key contains attacker-controlled input or custom-generated keys
| with glob metacharacters, it may be possible to delete unintended
| files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and
| 7.2.3.1 contain a patch.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33168
https://www.cve.org/CVERecord?id=CVE-2026-33168
[1] https://security-tracker.debian.org/tracker/CVE-2026-33169
https://www.cve.org/CVERecord?id=CVE-2026-33169
[2] https://security-tracker.debian.org/tracker/CVE-2026-33170
https://www.cve.org/CVERecord?id=CVE-2026-33170
[3] https://security-tracker.debian.org/tracker/CVE-2026-33173
https://www.cve.org/CVERecord?id=CVE-2026-33173
[4] https://security-tracker.debian.org/tracker/CVE-2026-33174
https://www.cve.org/CVERecord?id=CVE-2026-33174
[5] https://security-tracker.debian.org/tracker/CVE-2026-33176
https://www.cve.org/CVERecord?id=CVE-2026-33176
[6] https://security-tracker.debian.org/tracker/CVE-2026-33195
https://www.cve.org/CVERecord?id=CVE-2026-33195
[7] https://security-tracker.debian.org/tracker/CVE-2026-33202
https://www.cve.org/CVERecord?id=CVE-2026-33202
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rails
Source-Version: 2:7.2.3.1+dfsg-1
On Mon, Apr 13, 2026 at 02:50:15PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Sun, 12 Apr 2026 09:43:53 -0500
> Source: rails
> Architecture: source
> Version: 2:7.2.3.1+dfsg-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Ruby Team
> <[email protected]>
> Changed-By: Simon Quigley <[email protected]>
> Changes:
> rails (2:7.2.3.1+dfsg-1) unstable; urgency=medium
> .
> * Team upload.
> * Upgrade the watch file to version 5.
> * New upstream release.
> - Fixes CVE-2026-33168, CVE-2026-33169, CVE-2026-33170, CVE-2026-33173,
> CVE-2026-33174, CVE-2026-33176, CVE-2026-33195, CVE-2026-33202,
> CVE-2026-33658.
> * Refresh the upstream metadata.
> * Update Standards-Version to 4.7.4, no changes needed.
> * Add drop-minitest-upper-limit.patch to ensure packages remain
> installable.
> Checksums-Sha1:
> 61574f7843ea1fe0ab1ce4bfff55d260b0c221a2 4666 rails_7.2.3.1+dfsg-1.dsc
> 9953e54cd7832607fa737dfe8016012d00f71637 8073144
> rails_7.2.3.1+dfsg.orig.tar.xz
> bbb725ab9486b4f2380c926c054f45811a8f8859 103288
> rails_7.2.3.1+dfsg-1.debian.tar.xz
> 0cc056446d5f11ab5298281a4cf50e6fc512077f 7906
> rails_7.2.3.1+dfsg-1_source.buildinfo
> Checksums-Sha256:
> e44b94cf2fc694df266d88572c839f3f4d7e1ba9d467eafd547db9b35df73099 4666
> rails_7.2.3.1+dfsg-1.dsc
> 3f3b8213fcd3641695dcc7e7a53cee44544ddfbcb24fe3045f0c24bd6dffc326 8073144
> rails_7.2.3.1+dfsg.orig.tar.xz
> 35b1f211e1e9249b19a8cb4fc25d0163ea957d82231633528da03c625cdfdb92 103288
> rails_7.2.3.1+dfsg-1.debian.tar.xz
> 0856fd398986610279796dcb5f901837f2c77586324cd448363662f039d11f68 7906
> rails_7.2.3.1+dfsg-1_source.buildinfo
> Files:
> a2f9ace05ec9f1b869a7eb9236813e17 4666 ruby optional rails_7.2.3.1+dfsg-1.dsc
> 6e859abf78c7db2fe055e9778c738967 8073144 ruby optional
> rails_7.2.3.1+dfsg.orig.tar.xz
> 69ecd39eea78557e24acca6eb1bfbc17 103288 ruby optional
> rails_7.2.3.1+dfsg-1.debian.tar.xz
> 283e203ed3f90c8b388448a8da9ddd11 7906 ruby optional
> rails_7.2.3.1+dfsg-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEXHq+og+GMEWcyMi14n8s+EWML6QFAmncExEACgkQ4n8s+EWM
> L6T30g/9HZ9cvaVCdbaQKLEDpywb2yuz8Ih4zCK85Fmz8WYcsWyjZSFM1tcdC4ZU
> jXKVw2XhAukuMkuQJpwH9J5hmgakUQx9RJ72YLUdVmEpMh/8uB1WINFUNNbxenxO
> LmCoN4/LLyW+AhrfaqJlbNbS7dC+Q5xEIczfDdDUi47o3qRb+qXoxzu243RCBCMt
> Mz/S5/XalWzk/qL4YV8giqzCQHRcP0Ij88UZ7XK1tQrICT+T0LDQEnUAJmahIUEf
> YIrDF+Qdz289h2YU/hnf6JT2A2Pt/tbH0hZQu+pN1JP86ZaHNkrf7mAKYc0iU9FM
> tPu4B53v4VA2lWoFnFggo8nQaVh9nxmCeOpQJQA4PS0F60c26UA4o5Xg1aJ5+t5b
> N6gU1EBgO3s16ASYh0LcNFvH85FGcPAK3pTdrRULOrw7Tm+CO89AOgc9Q+fTWCJb
> KA+aaUUJh1Z9X3R8QIIVtgQ+8fhIBxXO321/6oENoDIBSknvoLNuQkksZxBYAF6o
> QTcDQZ3Rx5Wn9S2HB3RUp6fVqBAYAaYCsyzygd8Bgm9UicI2FpTOXHXd0YjoW+Aj
> RvMNvlEonfwSP/lEIY0xKW97hiBuMvFRwhx33OkxVV0dEM5BdnOKBQtwMyVPmQ6P
> dKsvzukkrJMCNtGtW4Dcw7g1yIPbbIOjaoHbq25PMoEr1pLkw+0=
> =8crS
> -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
