Possible Information Leak Vulnerability in Action View. There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios. This vulnerability has been assigned the CVE identifier CVE-2016-2097. Versions Affected: 3.2.x, 4.0.x, 4.1.x Not affected: 4.2+ Fixed Versions: 3.2.22.2, 4.1.14.2 There is a possible remote code execution vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-2098. Versions Affected: 3.2.x, 4.0.x, 4.1.x, 4.2.x Not affected: 5.0+ Fixed Versions: 3.2.22.2, 4.1.14.2, 4.2.5.2
Rails 3.2.22.2, 4.1.14.2, and 4.2.5.2 are now in the tree. Given that the list of security issues now includes possible RCE, my intention is to mask Rails 4.0.x for removal, including any dependencies. A tentative package list: dev-ruby/rails:4.0 dev-ruby/railties:4.0 dev-ruby/activerecord:4.0 dev-ruby/actionmailer:4.0 dev-ruby/actionpack:4.0 dev-ruby/activemodel:4.0 dev-ruby/activesupport:4.0 And affected packages that depend on Rails 4.0 (packages depending on these still to be checked): dev-ruby/coffee-rails:4.0 dev-ruby/metasploit-concern dev-ruby/metasploit-credential dev-ruby/metasploit_data_models dev-ruby/metasploit-model net-analyzer/metasploit My intention is to mask these for removal at the end of the week.
Rails 4.0 has now been masked.
CVE-2016-2098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2098): Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. CVE-2016-2097 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2097): Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.
Not sure why I missed this is unstable...