[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-8159/ruby-actionpack-page-caching: reference patches

Fri Jul 23 16:51:32 BST 2021


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ff078750 by Sylvain Beucler at 2021-07-23T17:51:04+02:00
CVE-2020-8159/ruby-actionpack-page-caching: reference patches

- - - - -
f85b05b8 by Sylvain Beucler at 2021-07-23T17:51:04+02:00
Reserve DLA-2719-1 for ruby-actionpack-page-caching

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -101679,6 +101679,8 @@ CVE-2020-8159 (There is a vulnerability in actionpack_page-caching gem < v1.2
 	- ruby-actionpack-page-caching 1.2.2-1 (bug #960680)
 	[buster] - ruby-actionpack-page-caching <no-dsa> (Minor issue)
 	NOTE: https://groups.google.com/forum/#!topic/rubyonrails-security/CFRVkEytdP8
+	NOTE: https://github.com/rails/actionpack-page_caching/commit/127da70a559bed4fc573fdb4a6d498a7d5815ce2 (v1.2.1)
+	NOTE: https://github.com/rails/actionpack-page_caching/commit/bf4aab113f90a0c5182009709d5115a1d5772608 (v1.2.2)
 CVE-2020-8158 (Prototype pollution vulnerability in the TypeORM package < 0.2.25 m ...)
 	NOT-FOR-US: TypeORM
 CVE-2020-8157 (UniFi Cloud Key firmware <= v1.1.10 for Cloud Key gen2 and Cloud Ke ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[23 Jul 2021] DLA-2719-1 ruby-actionpack-page-caching - security update
+	{CVE-2020-8159}
+	[stretch] - ruby-actionpack-page-caching 1.0.2-4+deb9u1
 [23 Jul 2021] DLA-2718-1 intel-microcode - security update
 	{CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513}
 	[stretch] - intel-microcode 3.20210608.2~deb9u2


=====================================
data/dla-needed.txt
=====================================
@@ -75,13 +75,6 @@ python-babel
   NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith)
   NOTE: 20210620: Revisit when it have an assigned CVE Id. (abhijith)
 --
-ruby-actionpack-page-caching (Sylvain Beucler)
-  NOTE: 20200819: Upstream's patch on does not apply due to subsequent
-  NOTE: 20200819: refactoring. However, a quick look at the private
-  NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
-  NOTE: 20200819: uses the path without normalising any "../" etc., simply
-  NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
---
 ruby-kaminari
   NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
   NOTE: 20200819: the one upstream or in its many forks. For example, both dthe



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5df7f6a938a0a4dfe801d220e205f2d936bd0211...f85b05b827a11bdb62b7f74ce0f785bc0f4edb6c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5df7f6a938a0a4dfe801d220e205f2d936bd0211...f85b05b827a11bdb62b7f74ce0f785bc0f4edb6c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210723/614a5501/attachment.htm>
