[Git][security-tracker-team/security-tracker][master] rails: postponed

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Mon Jun 1 06:15:09 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6e8c8f3b by Sylvain Beucler at 2026-06-01T07:15:00+02:00
rails: postponed

All open CVEs "Low" according to upstream.
No DSA/SPU plans.
Drop from dla-needed.txt for now.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -39145,6 +39145,7 @@ CVE-2026-33658 (Active Storage allows users to attach cloud and local files in R
 	- rails 2:7.2.3.1+dfsg-1 (bug #1132035)
 	[trixie] - rails <no-dsa> (Minor issue)
 	[bookworm] - rails <no-dsa> (Minor issue)
+	[bullseye] - rails <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
 	NOTE: Fixed by: https://github.com/rails/rails/commit/85ec5b1e00d3197d8c69a5e622e1b398a1b10b06 (v8.1.2.1)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/d7da4ef03f99035fba5add8828646f1e9173549c (v8.0.4.1)
@@ -42766,6 +42767,7 @@ CVE-2026-33202 (Active Storage allows users to attach cloud and local files in R
 	- rails 2:7.2.3.1+dfsg-1 (bug #1132035)
 	[trixie] - rails <no-dsa> (Minor issue)
 	[bookworm] - rails <no-dsa> (Minor issue)
+	[bullseye] - rails <postponed> (Minor issue, path traversal in unlikely scenario)
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
 	NOTE: Fixed by: https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c (v8.1.2.1)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf (v8.0.4.1)
@@ -42774,6 +42776,7 @@ CVE-2026-33195 (Active Storage allows users to attach cloud and local files in R
 	- rails 2:7.2.3.1+dfsg-1 (bug #1132035)
 	[trixie] - rails <no-dsa> (Minor issue)
 	[bookworm] - rails <no-dsa> (Minor issue)
+	[bullseye] - rails <postponed> (Minor issue, path traversal in unlikely scenario)
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
 	NOTE: Fixed by: https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655 (v8.1.2.1)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348 (v8.0.4.1)
@@ -42782,6 +42785,7 @@ CVE-2026-33176 (Active Support is a toolkit of support libraries and Ruby core e
 	- rails 2:7.2.3.1+dfsg-1 (bug #1132035)
 	[trixie] - rails <no-dsa> (Minor issue)
 	[bookworm] - rails <no-dsa> (Minor issue)
+	[bullseye] - rails <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
 	NOTE: Fixed by: https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb (v8.1.2.1)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856 (v8.0.4.1)
@@ -42790,6 +42794,7 @@ CVE-2026-33174 (Active Storage allows users to attach cloud and local files in R
 	- rails 2:7.2.3.1+dfsg-1 (bug #1132035)
 	[trixie] - rails <no-dsa> (Minor issue)
 	[bookworm] - rails <no-dsa> (Minor issue)
+	[bullseye] - rails <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
 	NOTE: Fixed by: https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a (v8.1.2.1)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5 (v8.0.4.1)
@@ -42798,6 +42803,7 @@ CVE-2026-33173 (Active Storage allows users to attach cloud and local files in R
 	- rails 2:7.2.3.1+dfsg-1 (bug #1132035)
 	[trixie] - rails <no-dsa> (Minor issue)
 	[bookworm] - rails <no-dsa> (Minor issue)
+	[bullseye] - rails <postponed> (Minor issue, automatic content type bypass)
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
 	NOTE: Fixed by: https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0 (v8.1.2.1)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e (v8.0.4.1)
@@ -42806,6 +42812,7 @@ CVE-2026-33170 (Active Support is a toolkit of support libraries and Ruby core e
 	- rails 2:7.2.3.1+dfsg-1 (bug #1132035)
 	[trixie] - rails <no-dsa> (Minor issue)
 	[bookworm] - rails <no-dsa> (Minor issue)
+	[bullseye] - rails <postponed> (Minor issue, XSS)
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
 	NOTE: Fixed by: https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7 (v8.1.2.1)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db (v8.0.4.1)
@@ -42814,6 +42821,7 @@ CVE-2026-33169 (Active Support is a toolkit of support libraries and Ruby core e
 	- rails 2:7.2.3.1+dfsg-1 (bug #1132035)
 	[trixie] - rails <no-dsa> (Minor issue)
 	[bookworm] - rails <no-dsa> (Minor issue)
+	[bullseye] - rails <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
 	NOTE: Fixed by: https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49 (v8.1.2.1)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11 (v8.0.4.1)
@@ -42822,6 +42830,7 @@ CVE-2026-33168 (Action View provides conventions and helpers for building web pa
 	- rails 2:7.2.3.1+dfsg-1 (bug #1132035)
 	[trixie] - rails <no-dsa> (Minor issue)
 	[bookworm] - rails <no-dsa> (Minor issue)
+	[bullseye] - rails <postponed> (Minor issue, XSS)
 	NOTE: https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
 	NOTE: Fixed by: https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d (v8.1.2.1)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924 (v8.0.4.1)


=====================================
data/dla-needed.txt
=====================================
@@ -497,12 +497,6 @@ rabbitmq-server
   NOTE: 20260504: Added by coordinator (santiago)
   NOTE: 20260504: Added to address out-standing minor issues
 --
-rails
-  NOTE: 20260405: Added by Front-Desk (ta)
-  NOTE: 20260405: too many issues piled up
-  NOTE: 20260511: Partial release to handle CVE-2022-32224 (potentially backward-incompatible)
-  NOTE: 20260511: and fix issues in previous upload, following work in buster. (Beuc)
---
 redis (Chris Lamb)
   NOTE: 20260515: Added by Front-Desk (pochu)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e8c8f3bd9db2ea842550edb3da2c13f5657887d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e8c8f3bd9db2ea842550edb3da2c13f5657887d
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260601/58b97c4b/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list