[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage ruby-actionpack-page-caching for stretch LTS (CVE-2020-8159).

Wed Aug 19 12:27:26 BST 2020


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c3973d15 by Chris Lamb at 2020-08-19T12:27:17+01:00
data/dla-needed.txt: Triage ruby-actionpack-page-caching for stretch LTS (CVE-2020-8159).

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=====================================
data/dla-needed.txt
=====================================
@@ -142,6 +142,13 @@ qtbase-opensource-src (Adrian Bunk)
   NOTE: 20200815: Minor issue, but easy to fix (CVE-2020-17507). Low prio.
   NOTE: 20200815: One could possibly look at the other <no-dsa> issues and decide whether they are worth fixing along. (sunweaver)
 --
+ruby-actionpack-page-caching
+  NOTE: 20200819: Upstream's patch on does not apply due to subsequent
+  NOTE: 20200819: refactoring. However, a quick look at the private
+  NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
+  NOTE: 20200819: uses the path without normalising any "../" etc., simply
+  NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
+--
 ruby-doorkeeper
 --
 ruby-json-jwt (Utkarsh Gupta)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3973d15dda2e0466bb7c88f17a3f230f0d01fd7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3973d15dda2e0466bb7c88f17a3f230f0d01fd7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200819/25a609f3/attachment.html>
