Tuesday, February 25, 2025

[USN-7290-1] Rails vulnerabilities

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsBNBGao8McBCAD/mTHpWpp0rMyhX+xQYmuj1DoCiadFZysyAyKIFXODXRSOAQ58
YTf6BEuhPtEamZq+aJEGOTBJmUZxvGMv0Fo5yBN+OGoMA2CJQwxWQCZCptfivOCI
D5p2eANebDVXpZHHgpNwCyFVZR/UfSLMqX/y2wEi1AC4CKc3ihFBWdMJVdDk6zz0
4g/x4w76CZczUpe17QWD1XuAWUxmaVGM/TiKjktq3Lp6yZrb0QSYjCovXAGwfBmz
beludDi+EMDmh76PeKWfqQ38QSPEvN+Lv6OTjPWDfilfuOPpDZA2gsjNj3TaBllL
k9YW98OrqsbegQ0BhPgoPYQ3S15ikv53M8o/ABEBAAHNKUp1bGlhIFNhcnJpcyA8
anVsaWEuc2FycmlzQGNhbm9uaWNhbC5jb20+wsCRBBMBCgA7FiEEOMd9M4Vpc6WH
Yvv+QB78vNoP8b0FAmao8McCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AA
CgkQQB78vNoP8b3fXQf6Awx8Nd5FkMMGdrWqBjIPZv1Ogkka2+PiIqwqcIeQGvam
V/bpIKOCb4QOS4kgQ+hNS1mmK+T/aWXRCYhiBIPAOIbo7jcMGxNz7V3+43RxlNVl
zt3feYM/QAJmgK8bjdCzI5ZQHiyX8pgOieCylRrcjroQHa9CxHej4aJGCaPGLFGo
81lYWJm21NP4LJTLk03ncJT8Ss64R28cOWUHujysxftAPHVYpPLdlwuJ3lgC8M5n
eq0qwsv22j62ldd/J7u2psRSczaU1ve/TfX71ZCyZZiw2Tm5HvaskD+CilXOaL2H
+KediuEtkQk5KKQikg2XtjbqCYyIxQT50v1TIu86ss7ATQRmqPDHAQgA5zGDufJq
9MhhDPJqM3Qz4kQXLKDXz2l5EovU5olrYerGmskpUBUSwfgAeBu9gMP5Y24spir3
eMm6O7m8EJsihMPCw4Iblzi9YZZX1TY3wegRXFIiaqW5kELnjhVnRpS9WQi9FDd9
gGPp7X3iQ8/B6+nyHitqhcj2A+Vpk5HaguY8zl3yEOwFnud5TEbSb/xYz7DhX5uv
B/FZ9rgn+j2N0hC/RVN1MpSRHZEbOCfpaYr/teiQexOWBlVVnZgCkHb9F0NiNImv
dXVZ18jY5wfgxemfgm8l4nDUlSMUIMiwGYekPMEuYvoDNPwfzzlYHKrVoqp54KMd
JALMUar1bVZtxQARAQABwsB2BBgBCgAgFiEEOMd9M4Vpc6WHYvv+QB78vNoP8b0F
Amao8McCGwwACgkQQB78vNoP8b10+ggA8nW+R2g9BDvkpurM0lwpaCtgKbaENIGg
lpxNXEEUEW7AaR4Mme+4PA/SdpWrFzVa0OGhqtZxkovUZXpgiLlx5/eR1Bl+TUuO
rjZkjGBy3r2Ce1JLwKilSZk7Bk45L7QDxA+NOLSFS7ADqzv37J2jhpfczqrYdpSj
kHgUvkapbuB0ONpQ/mhH9UDquY3eMGv3GSrvggVS0mKjR6bMl1plBWcfJ+Y//xQc
6S1bBdjbmwKMZjYbvhTpPbVeUOUdOg/0mYC/3rjSO+2OEn1Q+YIdfGqbLpDAbruG
m7XHtUOXesWorhDMzQGRpj7R+ed/9uJs0Nvg5FqAKTrzh+90ngEGuA==
=Qkbp
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEOMd9M4Vpc6WHYvv+QB78vNoP8b0FAme92EIFAwAAAAAACgkQQB78vNoP8b08
owf/Wzh5Tapl6yrJE91pOv1mTbQ+2NyBgPKzvoXN/4JUvqS0M9kFvWUDG0UeHG8jt8mQl8isKZxA
FkWMIPHTrKeR6lvzQy5EZWSIryEYbEzDhrIzy6cZ9r5IckdJrZyUwWD5+d1FORSV96XjTLH4addp
ddqfxC3uUmrZNeivQHcqrbe21pKuza3Y4jk4ly4W4IYX4ZyjMpJIiQne3mtaIRB+g2EQwu9ogBs6
P/Gp7dQEQAH66Jr0kottxTOhN/tVsrz9dmEXwu8y3U/cCbKYfGTPdohHPUWGSonNGyRbv2njUO6g
JKsWNS/AdexuIwAL5PQlYJzMFYBeHNPsmjc06vy89g==
=vOmR
-----END PGP SIGNATURE-----

==========================================================================

Ubuntu Security Notice USN-7290-1
February 25, 2025

rails vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Rails.

Software Description:
- rails: MVC ruby based framework geared for web application development (

Details:

It was discovered that Rails did not correctly handle parsing block
formats in email service layers. An attacker could possibly use this
issue to cause a denial of service. (CVE-2024-47889)

It was discovered that Rails did not correctly handle parsing block
quotes in rich text content. An attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 22.04 LTS.
(CVE-2024-47888)

It was discovered that Rails did not correctly handle parsing HTTP
token authentication headers. An attacker could possibly use this
issue to cause a denial of service. (CVE-2024-47887)

It was discovered that Rails did not correctly handle parsing query
parameters in web requests. An attacker could possibly use this issue
to cause a denial of service. (CVE-2024-41128)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
  rails                           2:6.1.4.1+dfsg-8ubuntu2+esm1
                                  Available with Ubuntu Pro
  ruby-actionmailer               2:6.1.4.1+dfsg-8ubuntu2+esm1
                                  Available with Ubuntu Pro
  ruby-actionpack                 2:6.1.4.1+dfsg-8ubuntu2+esm1
                                  Available with Ubuntu Pro
  ruby-actiontext                 2:6.1.4.1+dfsg-8ubuntu2+esm1
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  rails                           2:5.2.3+dfsg-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  ruby-actionmailer               2:5.2.3+dfsg-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  ruby-actionpack                 2:5.2.3+dfsg-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  rails                           2:4.2.10-0ubuntu4+esm1
                                  Available with Ubuntu Pro
  ruby-actionmailer               2:4.2.10-0ubuntu4+esm1
                                  Available with Ubuntu Pro
  ruby-actionpack                 2:4.2.10-0ubuntu4+esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  rails                           2:4.2.6-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  ruby-actionpack                 2:4.2.6-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7290-1
  CVE-2024-41128, CVE-2024-47887, CVE-2024-47888, CVE-2024-47889

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)