[DRE-maint] Bug#790486: marked as done (rails: CVE-2015-3226: XSS in ActiveSupport::JSON.encode)

Tue, 02 Feb 2016 13:37:28 -0800 

Your message dated Tue, 02 Feb 2016 21:32:11 +0000
with message-id <[email protected]>
and subject line Bug#790486: fixed in rails 2:4.1.8-1+deb8u1
has caused the Debian Bug report #790486,
regarding rails: CVE-2015-3226: XSS in ActiveSupport::JSON.encode
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
790486: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790486
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: rails
Version: 2:4.1.8-1
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for rails.

CVE-2015-3226[0]:
XSS Vulnerability in ActiveSupport::JSON.encode

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-3226
[1] http://seclists.org/oss-sec/2015/q2/732

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: rails
Source-Version: 2:4.1.8-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <[email protected]> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 28 Jan 2016 11:12:33 -0200
Source: rails
Binary: ruby-activesupport ruby-activesupport-2.3 ruby-activerecord 
ruby-activemodel ruby-actionview ruby-actionpack ruby-actionmailer 
ruby-railties ruby-rails rails
Architecture: source all
Version: 2:4.1.8-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers 
<[email protected]>
Changed-By: Antonio Terceiro <[email protected]>
Description:
 rails      - MVC ruby based framework geared for web application development (
 ruby-actionmailer - email composition, delivery, and receiving framework (part 
of Rai
 ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part 
of R
 ruby-actionview - framework for handling view template lookup and rendering 
(part o
 ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
 ruby-activerecord - object-relational mapper framework (part of Rails)
 ruby-activesupport - Support and utility classes used by the Rails 4.1 
framework
 ruby-activesupport-2.3 - transitional dummy package
 ruby-rails - MVC ruby based framework geared for web application development
 ruby-railties - tools for creating, working with, and running Rails 
applications
Closes: 790486 790487
Changes:
 rails (2:4.1.8-1+deb8u1) jessie-security; urgency=high
 .
   * Security updates:
     - [CVE-2015-3227] Possible Denial of Service attack in Active Support
                       (Closes: #790487)
     - [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode
                       (Closes: #790486)
     - [CVE-2015-7576] Timing attack vulnerability in basic authentication in
                       Action Controller.
     - [CVE-2016-0751] Possible Object Leak and Denial of Service attack in
                       Action Pack
     - [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.
     - [CVE-2016-0752] Possible Information Leak Vulnerability in Action View
     - [CVE-2016-0753] Possible Input Validation Circumvention in Active Model
     - [CVE-2015-7581] Object leak vulnerability for wildcard controller routes
                       in Action Pack
Checksums-Sha1:
 5af0f3af8581c2351ea1d17f839ad50267ffa30a 2571 rails_4.1.8-1+deb8u1.dsc
 b9b860ebcc29bc0e208c1eec50842db9bb92765b 3711426 rails_4.1.8.orig.tar.gz
 694f990cbe66eb9e71fe5b472a4173ef9a79b55a 96348 
rails_4.1.8-1+deb8u1.debian.tar.xz
 a87d5fd188153e868b50b15f03d4e8a7636ac783 207146 
ruby-activesupport_4.1.8-1+deb8u1_all.deb
 a7e42fef7dbd89058e501c01e104ee2a52e420a9 11240 
ruby-activesupport-2.3_4.1.8-1+deb8u1_all.deb
 e5c48f45290ab0b14a65dc8db8a4dd80afa9b4ae 268258 
ruby-activerecord_4.1.8-1+deb8u1_all.deb
 b70225fe51f918dfe668be5d527e71a82b09ca86 48498 
ruby-activemodel_4.1.8-1+deb8u1_all.deb
 8a1f20fc1d907fb25ca7810f47fcc2be36b8b323 141166 
ruby-actionview_4.1.8-1+deb8u1_all.deb
 35ff79de09f5ff7412864597c5258bafcda78c37 169578 
ruby-actionpack_4.1.8-1+deb8u1_all.deb
 49702140b6de57235ad97834eaf0ddfb5fdca827 31464 
ruby-actionmailer_4.1.8-1+deb8u1_all.deb
 9321fe13c60dd7f21dc948a4b6f80300079807ec 118956 
ruby-railties_4.1.8-1+deb8u1_all.deb
 8ac15713231e210e9c70704f6d3d95583048ee74 16294 
ruby-rails_4.1.8-1+deb8u1_all.deb
 552bee75f73832a73c52f064f8946402ab9b18b4 11502 rails_4.1.8-1+deb8u1_all.deb
Checksums-Sha256:
 c97cea8875033299dd7aed692720ac5d480f947564a947ab1f1be9b7d5046ae5 2571 
rails_4.1.8-1+deb8u1.dsc
 419e7cdd8e7fd2b2d45d3a37fb37f01b70ada51db77ca116f83636711d845814 3711426 
rails_4.1.8.orig.tar.gz
 675e009ceb2b184b0f66da05c7b74c5c322d72cd51d3a4559ec0e5052ce94cc5 96348 
rails_4.1.8-1+deb8u1.debian.tar.xz
 5031053aa135539aa2d0e4fc75d8702ed719bafec35bd270d6506642371ec811 207146 
ruby-activesupport_4.1.8-1+deb8u1_all.deb
 3883dc073d2a5be3e94c0b27141396c15fa74496f4d08b1bc815299c2e218871 11240 
ruby-activesupport-2.3_4.1.8-1+deb8u1_all.deb
 8d7e22b4f3d3a304f2aa421ab6bf79ea280d644479c6a57c2be6d7e0d6dd1539 268258 
ruby-activerecord_4.1.8-1+deb8u1_all.deb
 47fd5d59a20e9e536609d1e35fd2fbae156b14f51b8e3dd3387dade47a93b830 48498 
ruby-activemodel_4.1.8-1+deb8u1_all.deb
 9a93f76f2bc070639fb7f89dfac77a3d91360c35399e41bf839e24f71384922e 141166 
ruby-actionview_4.1.8-1+deb8u1_all.deb
 fe39ad3834008dddd42fe550b1bcbdcc329f49da10762e818559e3aa331795f1 169578 
ruby-actionpack_4.1.8-1+deb8u1_all.deb
 26b56ab03e644c807bdc66cb4efa1627723a91d4535f468c1166f624dce4431f 31464 
ruby-actionmailer_4.1.8-1+deb8u1_all.deb
 c3a8b033179bf8f9146fb2225a96a17840b90b02c3cd9af3fd89c8d1d46b90a1 118956 
ruby-railties_4.1.8-1+deb8u1_all.deb
 40fc6d7bac67be29f115babfe01f93a32d10da957bc5fe9c95aa12a3a4535aa3 16294 
ruby-rails_4.1.8-1+deb8u1_all.deb
 928c336e7436ea034440181f353308021084fdb2b4d0c025368a5bad6e1bb012 11502 
rails_4.1.8-1+deb8u1_all.deb
Files:
 ea91e053e81a3e2e6a41fa52a67c835c 2571 ruby optional rails_4.1.8-1+deb8u1.dsc
 0b118bca039a4beddbdafa128b7d85e6 3711426 ruby optional rails_4.1.8.orig.tar.gz
 025da188c2bbc56660835737289a9c63 96348 ruby optional 
rails_4.1.8-1+deb8u1.debian.tar.xz
 70dfd4b8d2291ef9d5a15a032e2e5956 207146 ruby optional 
ruby-activesupport_4.1.8-1+deb8u1_all.deb
 3c99bd0e7b5f175847ed7eb46ffa14b0 11240 ruby optional 
ruby-activesupport-2.3_4.1.8-1+deb8u1_all.deb
 82a4a5ebb0b4ba69d655f2f0d3426752 268258 ruby optional 
ruby-activerecord_4.1.8-1+deb8u1_all.deb
 4c1dfc594a0d954aa0fafe31dc9ca89e 48498 ruby optional 
ruby-activemodel_4.1.8-1+deb8u1_all.deb
 f80245223a1d181171ef20c92fe8ec46 141166 ruby optional 
ruby-actionview_4.1.8-1+deb8u1_all.deb
 868bed01c90cebaa69bf3e967f5db8c5 169578 ruby optional 
ruby-actionpack_4.1.8-1+deb8u1_all.deb
 50a341526247ec4a5be2958d116550c8 31464 ruby optional 
ruby-actionmailer_4.1.8-1+deb8u1_all.deb
 a75650b061b56d14ab66f5293b877be7 118956 ruby optional 
ruby-railties_4.1.8-1+deb8u1_all.deb
 351b14998e57d1cfd19cbfeec0ab665b 16294 ruby optional 
ruby-rails_4.1.8-1+deb8u1_all.deb
 b6acf788198595d4a053324775704cbf 11502 ruby optional 
rails_4.1.8-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWqmZNAAoJEPwNsbvNRgvecfMP/i0rEpEoOnS832yNHahBuPpT
UMVfdSO7NnvGpQYXoYczo/IRFVoyon3a3H2mw54ZszrGWi5tlzenKmJLYaCvSJeu
oip8Qr31SDaMuMz5/IAyVxOSCoEjpW/N+yj6B4bwTaTy8hWZKC2jx1KZ6zq5+9hj
bfST/a94ouqk9/O0rJie2DSEGUu32hZ8gLFbYYG/tA0bWTxedD6HCuVwfttqVjCw
hMV7wdi2iRIuJEtL2YPD1FPDj3oneZ4w0Dw3uvqe5YORe+wejpBA9PPjOa3ACZKn
9MVXohCo1AYfKSo2/cL7jDI1AuMXCDwYooZw6HjtDvpWOAz4ctYZScUsIjhS9LZk
te4x49UBx44s5WZwQMzmyDalQsEQUtspGFvcbjhdOjDL7Y+zM88IFxM6H8JiLcb/
68Rb+pl+JevC9QxAc413G6eNJqF9CRKxWOBIHg+9CNoo2nHkPezmd3c8KDUKBbJP
x9yJX/TuqcKNr84qTuV4BdI7yA4jxSrhedU0PjzILCzgg6UQqsInJBx9jndLh9wt
ndMxJ+GAeo96RUBBeBS7otSsyvKpjyO7InXr30aGlHoeDfxQmWRZozeUbqKA3kBj
jKLWY30ZybJXyTcIQvne7Uo7COtqJNXjhuP3oWc0/gSKIg4R4Qx7MGS9vRBpQbt7
mJ94B0QUKEfuKxpRJaru
=qMzv
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

Reply via email to