Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 723794 (CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, CVE-2020-8167)

Summary: <dev-ruby/rails-{5.2.4.3,6.0.3.1}: Multiple vulnerablities (CVE-2020-{8162,8164,8165,8166,8167})
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/
Whiteboard: ~1 [noglsa cve]
Package list:
Runtime testing required: ---

Description Hans de Graaff gentoo-dev 2020-05-18 17:51:48 UTC
Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

    [CVE-2020-8162] Circumvention of file size limits in ActiveStorage
    [CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
    [CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
    [CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
    [CVE-2020-8167] CSRF Vulnerability in rails-ujs
Comment 1 Hans de Graaff gentoo-dev 2020-05-18 18:46:54 UTC
Rails 5.2.4.3 and 6.0.3.1 are now available.
Comment 2 Sam James archtester gentoo-dev Security 2020-06-18 02:59:07 UTC
ping
Comment 3 Hans de Graaff gentoo-dev 2020-07-05 06:51:39 UTC
cleanup done.
Comment 4 Sam James archtester gentoo-dev Security 2020-07-05 09:48:56 UTC
(In reply to Hans de Graaff from comment #3)
> cleanup done.

Thank you. All done!