[Git][security-tracker-team/security-tracker][master] Add initial tracking for some rails issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
772f0bfd by Salvatore Bonaccorso at 2026-03-25T18:15:45+01:00
Add initial tracking for some rails issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1487,23 +1487,57 @@ CVE-2026-33241 (Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's
 CVE-2026-33211 (Tekton Pipelines project provides k8s-style resources for declaring CI ...)
 	NOT-FOR-US: Tekton Pipelines project
 CVE-2026-33202 (Active Storage allows users to attach cloud and local files in Rails a ...)
-	TODO: check
+	- rails <unfixed>
+	NOTE: https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
+	NOTE: Fixed by: https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c (v8.1.2.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf (v8.0.4.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82 (v7.2.3.1)
 CVE-2026-33195 (Active Storage allows users to attach cloud and local files in Rails a ...)
-	TODO: check
+	- rails <unfixed>
+	NOTE: https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
+	NOTE: Fixed by: https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655 (v8.1.2.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348 (v8.0.4.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c (v7.2.3.1)
 CVE-2026-33176 (Active Support is a toolkit of support libraries and Ruby core extensi ...)
-	TODO: check
+	- rails <unfixed>
+	NOTE: https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
+	NOTE: Fixed by: https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb (v8.1.2.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856 (v8.0.4.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a (v7.2.3.1)
 CVE-2026-33174 (Active Storage allows users to attach cloud and local files in Rails a ...)
-	TODO: check
+	- rails <unfixed>
+	NOTE: https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
+	NOTE: Fixed by: https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a (v8.1.2.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5 (v8.0.4.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b (v7.2.3.1)
 CVE-2026-33173 (Active Storage allows users to attach cloud and local files in Rails a ...)
-	TODO: check
+	- rails <unfixed>
+	NOTE: https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
+	NOTE: Fixed by: https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0 (v8.1.2.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e (v8.0.4.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53 (v7.2.3.1)
 CVE-2026-33170 (Active Support is a toolkit of support libraries and Ruby core extensi ...)
-	TODO: check
+	- rails <unfixed>
+	NOTE: https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
+	NOTE: Fixed by: https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7 (v8.1.2.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db (v8.0.4.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb (v7.2.3.1)
 CVE-2026-33169 (Active Support is a toolkit of support libraries and Ruby core extensi ...)
-	TODO: check
+	- rails <unfixed>
+	NOTE: https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
+	NOTE: Fixed by: https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49 (v8.1.2.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11 (v8.0.4.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974 (v7.2.3.1)
 CVE-2026-33168 (Action View provides conventions and helpers for building web pages wi ...)
-	TODO: check
+	- rails <unfixed>
+	NOTE: https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
+	NOTE: Fixed by: https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d (v8.1.2.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924 (v8.0.4.1)
+	NOTE: Fixed by: https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c (v7.2.3.1)
 CVE-2026-33167 (Action Pack is a Rubygem for building web applications on the Rails fr ...)
-	TODO: check
+	- rails <not-affected> (Vulnerable code not present)
+	NOTE: https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
+	NOTE: Fixed by: https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0 (v8.1.2.1)
 CVE-2026-33046 (Indico is an event management system that uses Flask-Multipass, a mult ...)
 	NOT-FOR-US: Indico
 CVE-2026-32913 (OpenClaw before 2026.3.7 contains an improper header validation vulner ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/772f0bfda308d6c9300ad6765374ca75a01572bf

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/772f0bfda308d6c9300ad6765374ca75a01572bf
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260325/04aa8207/attachment-0001.htm>