[Git][security-tracker-team/security-tracker][master] Reserve DLA-4383-1 for rails
Bastien Roucariès (@rouca)
rouca at debian.org
Tue Nov 25 19:13:46 GMT 2025
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker
Commits:
5fa9de2f by Bastien Roucariès at 2025-11-25T20:12:57+01:00
Reserve DLA-4383-1 for rails
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -230083,7 +230083,6 @@ CVE-2023-40316
CVE-2023-38037 (ActiveSupport::EncryptedFile writes contents that will be encrypted to ...)
{DSA-5881-1}
- rails 2:7.2.2.1+dfsg-1 (bug #1051057)
- [bullseye] - rails <no-dsa> (Minor issue)
NOTE: https://github.com/advisories/GHSA-cr5q-6q9f-rq6q
NOTE: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
NOTE: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731 (v7.0.7.1)
@@ -253930,7 +253929,6 @@ CVE-2023-28363
CVE-2023-28362 (The redirect_to method in Rails allows provided values to contain char ...)
{DSA-5881-1}
- rails 2:7.2.2.1+dfsg-1 (bug #1051058)
- [bullseye] - rails <no-dsa> (Minor issue)
NOTE: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
NOTE: https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5 (main)
NOTE: https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441 (v6.1.7.4)
@@ -286613,7 +286611,6 @@ CVE-2022-44567 (A command injection vulnerability exists in Rocket.Chat-Desktop
NOT-FOR-US: Rocket.Chat-Desktop
CVE-2022-44566 (A denial of service vulnerability present in ActiveRecord's PostgreSQL ...)
- rails 2:6.1.7.3+dfsg-1 (bug #1030050)
- [bullseye] - rails <no-dsa> (Minor issue)
NOTE: https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119
NOTE: https://github.com/rails/rails/commit/414eb337d142a9c61d7723ceb9b7c1ab30dff3ed (6-1-stable)
CVE-2022-44565 (An improper access validation vulnerability exists in airMAX AC <8.7.1 ...)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[25 Nov 2025] DLA-4383-1 rails - security update
+ {CVE-2022-44566 CVE-2023-28362 CVE-2023-38037 CVE-2024-41128 CVE-2024-47887 CVE-2024-47888 CVE-2024-47889 CVE-2024-54133}
+ [bullseye] - rails 2:6.0.3.7+dfsg-2+deb11u3
[25 Nov 2025] DLA-4382-1 libsdl2 - security update
{CVE-2022-4743}
[bullseye] - libsdl2 2.0.14+dfsg2-3+deb11u2
=====================================
data/dla-needed.txt
=====================================
@@ -299,14 +299,6 @@ qtbase-opensource-src (Sylvain Beucler)
NOTE: 20250520: Follow fixes from bookworm 12.11 (CVE-2024-39936)
NOTE: 20250520: We don't seem affected by the non-CVE crash fix #1081682 (Beuc/front-desk)
--
-rails (rouca)
- NOTE: 20250105: Added by Front-Desk (apo)
- NOTE: 20250305: Utkarsh uploaded the CVE fixes to unstable via rails/7.2.2.1. (utkarsh)
- NOTE: 20250323: rails DSA has been released. (utkarsh)
- NOTE: 20250621: rails DSA uploaded the last 6.1 release before EOL (2024-11)
- NOTE: 20250621: 6.0 branch is EOL (2023-06) so all open CVEs need individual backport (Beuc)
- NOTE: 20251120: Import old security release and fix. Will likely do a partial release due to number of CVEs (rouca)
---
runc
NOTE: 20251105: Added by Front-Desk (Beuc)
NOTE: 20251105: 3 high-severity container breakouts. Used by docker.io.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fa9de2f9c41167b3853014ddf49ce751bcb27c1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fa9de2f9c41167b3853014ddf49ce751bcb27c1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251125/9d7a14dd/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list