Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 723794 (CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, CVE-2020-8167) - <dev-ruby/rails-{5.2.4.3,6.0.3.1}: Multiple vulnerablities (CVE-2020-{8162,8164,8165,8166,8167})
Summary: <dev-ruby/rails-{5.2.4.3,6.0.3.1}: Multiple vulnerablities (CVE-2020-{8162,81...
Status: RESOLVED FIXED
Alias: CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, CVE-2020-8167
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://weblog.rubyonrails.org/2020/5...
Whiteboard: ~1 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-18 17:51 UTC by Hans de Graaff
Modified: 2020-07-05 09:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2020-05-18 17:51:48 UTC
Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

    [CVE-2020-8162] Circumvention of file size limits in ActiveStorage
    [CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
    [CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
    [CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
    [CVE-2020-8167] CSRF Vulnerability in rails-ujs
Comment 1 Hans de Graaff gentoo-dev Security 2020-05-18 18:46:54 UTC
Rails 5.2.4.3 and 6.0.3.1 are now available.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 02:59:07 UTC
ping
Comment 3 Hans de Graaff gentoo-dev Security 2020-07-05 06:51:39 UTC
cleanup done.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-05 09:48:56 UTC
(In reply to Hans de Graaff from comment #3)
> cleanup done.

Thank you. All done!