[Git][security-tracker-team/security-tracker][master] Add CVE-2024-39316/ruby-rack

Thu Jul 4 21:24:43 BST 2024


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
40861f21 by Salvatore Bonaccorso at 2024-07-04T22:24:16+02:00
Add CVE-2024-39316/ruby-rack

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -307,7 +307,11 @@ CVE-2024-39891 (In the Twilio Authy API, accessed by Authy Android before 25.1.0
 CVE-2024-39323 (aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Sta ...)
 	NOT-FOR-US: Aimeos GraphQL API admin interface
 CVE-2024-39316 (Rack is a modular Ruby web server interface. Starting in version 3.1.0 ...)
-	TODO: check
+	- ruby-rack <not-affected> (vulnerable code not present)
+	NOTE: https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7
+	NOTE: Fixed by: https://github.com/rack/rack/commit/412c980450ca729ee37f90a2661f166a9665e058 (v3.1.5)
+	NOTE: Issue exists because fix for CVE-2024-26146 was not applied to the main branch
+	NOTE: and was left unfixed in the 3.1.y series until 3.1.5.
 CVE-2024-39315 (Pomerium is an identity and context-aware access proxy. Prior to versi ...)
 	NOT-FOR-US: Pomerium
 CVE-2024-39206 (An issue discovered in MSP360 Backup Agent v7.8.5.15 and v7.9.4.84 all ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40861f211da392abc2b0cb2fc1f0b4c67e3806d6

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40861f211da392abc2b0cb2fc1f0b4c67e3806d6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240704/bdf82ee5/attachment.htm>
