[Git][security-tracker-team/security-tracker][master] rails DSA

Mon Mar 17 19:39:48 GMT 2025


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
36011825 by Moritz Mühlenhoff at 2025-03-17T20:38:34+01:00
rails DSA

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -79405,7 +79405,6 @@ CVE-2024-2087 (The Brizy \u2013 Page Builder plugin for WordPress is vulnerable
 	NOT-FOR-US: WordPress plugin
 CVE-2024-28103 (Action Pack is a framework for handling and responding to web requests ...)
 	- rails 2:7.2.2.1+dfsg-1 (bug #1072705)
-	[bookworm] - rails <no-dsa> (Minor issue)
 	[bullseye] - rails <not-affected> (Vulnerable code introduced later)
 	[buster] - rails <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
@@ -113463,7 +113462,6 @@ CVE-2021-46907
 	REJECTED
 CVE-2024-26144 (Rails is a web-application framework. Starting with version 5.2.0, the ...)
 	- rails 2:7.2.2.1+dfsg-1 (bug #1065119)
-	[bookworm] - rails <no-dsa> (Minor issue)
 	[bullseye] - rails <no-dsa> (Minor issue)
 	NOTE: https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g
@@ -145955,7 +145953,6 @@ CVE-2023-40316
 	- moodle <removed>
 CVE-2023-38037 (ActiveSupport::EncryptedFile writes contents that will be encrypted to ...)
 	- rails 2:7.2.2.1+dfsg-1 (bug #1051057)
-	[bookworm] - rails <no-dsa> (Minor issue)
 	[bullseye] - rails <no-dsa> (Minor issue)
 	NOTE: https://github.com/advisories/GHSA-cr5q-6q9f-rq6q
 	NOTE: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
@@ -169780,7 +169777,6 @@ CVE-2023-28363
 	RESERVED
 CVE-2023-28362 (The redirect_to method in Rails allows provided values to contain char ...)
 	- rails 2:7.2.2.1+dfsg-1 (bug #1051058)
-	[bookworm] - rails <no-dsa> (Minor issue)
 	[bullseye] - rails <no-dsa> (Minor issue)
 	NOTE: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
 	NOTE: https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5 (main)


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,6 @@
+[17 Mar 2025] DSA-5881-1 rails - security update
+	{CVE-2023-28362 CVE-2023-38037 CVE-2024-26144 CVE-2024-28103 CVE-2024-41128 CVE-2024-47887 CVE-2024-47888 CVE-2024-47889 CVE-2024-54133}
+	[bookworm] - rails 2:6.1.7.10+dfsg-1~deb12u1
 [17 Mar 2025] DSA-5880-1 freetype - security update
 	{CVE-2025-27363}
 	[bookworm] - freetype 2.12.1+dfsg-5+deb12u4


=====================================
data/dsa-needed.txt
=====================================
@@ -49,8 +49,6 @@ php-laravel-framework
 python-django
   Chris is working on it
 --
-rails (jmm)
---
 ring
 --
 rsync (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/360118256c0b9f3c7bc4e5c43ccdc1a826ede91f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/360118256c0b9f3c7bc4e5c43ccdc1a826ede91f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250317/2c5ffd34/attachment.htm>
