Date: Tue, 19 May 2020 23:35:17 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r535958 - head/security/vuxml Message-ID: <202005192335.04JNZHn3088504@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Tue May 19 23:35:17 2020 New Revision: 535958 URL: https://svnweb.freebsd.org/changeset/ports/535958 Log: Document rails vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue May 19 23:35:10 2020 (r535957) +++ head/security/vuxml/vuln.xml Tue May 19 23:35:17 2020 (r535958) @@ -58,6 +58,57 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="85fca718-99f6-11ea-bf1d-08002728f74c"> + <topic>Rails -- multiple vulnerabilities</topic> + <affects> + <package> + <name>rubygem-actionpack52</name> + <name>rubygem-actionview52</name> + <name>rubygem-activestorage52</name> + <name>rubygem-activesupport52</name> + <range><lt>5.2.4.3</lt></range> + </package> + <package> + <name>rubygem-actionpack60</name> + <name>rubygem-actionview60</name> + <name>rubygem-activestorage60</name> + <name>rubygem-activesupport60</name> + <range><lt>6.0.3.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Ruby on Rails blog:</p> + <blockquote cite="https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/">; + <p>Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.</p> + <p>Both releases contain the following fixes:</p> + <p>CVE-2020-8162: Circumvention of file size limits in ActiveStorage</p> + <p>CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack</p> + <p>CVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore</p> + <p>CVE-2020-8166: Ability to forge per-form CSRF tokens given a global CSRF token</p> + <p>CVE-2020-8167: CSRF Vulnerability in rails-ujs</p> + </blockquote> + </body> + </description> + <references> + <url>https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/</url>; + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ</url>; + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY</url>; + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c</url>; + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw</url>; + <url>https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0</url>; + <cvename>CVE-2020-8162</cvename> + <cvename>CVE-2020-8164</cvename> + <cvename>CVE-2020-8165</cvename> + <cvename>CVE-2020-8166</cvename> + <cvename>CVE-2020-8167</cvename> + </references> + <dates> + <discovery>2020-05-18</discovery> + <entry>2020-05-19</entry> + </dates> + </vuln> + <vuln vid="37d106a8-15a4-483e-8247-fcb68b16eaf8"> <topic>Dovecot -- Multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005192335.04JNZHn3088504>