Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 723794 (CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, CVE-2020-8167)

Summary: <dev-ruby/rails-{,}: Multiple vulnerablities (CVE-2020-{8162,8164,8165,8166,8167})
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~1 [noglsa cve]
Package list:
Runtime testing required: ---

Description Hans de Graaff gentoo-dev 2020-05-18 17:51:48 UTC
Hi everyone! Rails and have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

    [CVE-2020-8162] Circumvention of file size limits in ActiveStorage
    [CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
    [CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
    [CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
    [CVE-2020-8167] CSRF Vulnerability in rails-ujs
Comment 1 Hans de Graaff gentoo-dev 2020-05-18 18:46:54 UTC
Rails and are now available.
Comment 2 Sam James archtester gentoo-dev Security 2020-06-18 02:59:07 UTC
Comment 3 Hans de Graaff gentoo-dev 2020-07-05 06:51:39 UTC
cleanup done.
Comment 4 Sam James archtester gentoo-dev Security 2020-07-05 09:48:56 UTC
(In reply to Hans de Graaff from comment #3)
> cleanup done.

Thank you. All done!