Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 764320 (CVE-2020-8264) - <dev-ruby/actionpack-6.0.3.4: XSS vulnerability (CVE-2020-8264)
Summary: <dev-ruby/actionpack-6.0.3.4: XSS vulnerability (CVE-2020-8264)
Status: RESOLVED FIXED
Alias: CVE-2020-8264
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://groups.google.com/g/rubyonrai...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-07 14:35 UTC by Sam James
Modified: 2021-01-10 14:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-01-07 14:35:31 UTC
Description:
"In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware."

See also: https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ
Comment 1 NATTkA bot gentoo-dev 2021-01-07 14:36:51 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-01-07 14:40:56 UTC
Sanity check failed:

> dev-ruby/actionpack-6.0.3.4
>   bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby26(-)]
>   bdepend amd64 stable profile default/linux/amd64/17.1 (14 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby26(-)]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]
>   rdepend amd64 stable profile default/linux/amd64/17.1 (14 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]
Comment 3 Hans de Graaff gentoo-dev 2021-01-10 08:03:55 UTC
Not sure what the point of the package list is here. There are no vulnerable versions in the tree anymore so it looks like we are done here.
Comment 4 Sam James archtester gentoo-dev Security 2021-01-10 14:14:21 UTC
(In reply to Hans de Graaff from comment #3)
> Not sure what the point of the package list is here. There are no vulnerable
> versions in the tree anymore so it looks like we are done here.

Sorry, you're right, only 6.x is vulnerable anyway. Thank you.