Bug 723794 (CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, CVE-2020-8167)

Summary:	<dev-ruby/rails-{5.2.4.3,6.0.3.1}: Multiple vulnerablities (CVE-2020-{8162,8164,8165,8166,8167})
Product:	Gentoo Security	Reporter:	Hans de Graaff <graaff>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	ruby
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/
Whiteboard:	~1 [noglsa cve]
Package list:		Runtime testing required:	---

Description Hans de Graaff gentoo-dev

2020-05-18 17:51:48 UTC

Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

    [CVE-2020-8162] Circumvention of file size limits in ActiveStorage
    [CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
    [CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
    [CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
    [CVE-2020-8167] CSRF Vulnerability in rails-ujs

Comment 1 Hans de Graaff gentoo-dev

2020-05-18 18:46:54 UTC

Rails 5.2.4.3 and 6.0.3.1 are now available.

Comment 2 Sam James archtester

2020-06-18 02:59:07 UTC

ping

Comment 3 Hans de Graaff gentoo-dev

2020-07-05 06:51:39 UTC

cleanup done.

Comment 4 Sam James archtester

2020-07-05 09:48:56 UTC

(In reply to Hans de Graaff from comment #3)
> cleanup done.

Thank you. All done!