FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Rails -- multiple vulnerabilities

Affected packages
rubygem-actionpack52 < 5.2.4.3
rubygem-actionview52 < 5.2.4.3
rubygem-activestorage52 < 5.2.4.3
rubygem-activesupport52 < 5.2.4.3
rubygem-actionpack60 < 6.0.3.1
rubygem-actionview60 < 6.0.3.1
rubygem-activestorage60 < 6.0.3.1
rubygem-activesupport60 < 6.0.3.1

Details

VuXML ID 85fca718-99f6-11ea-bf1d-08002728f74c
Discovery 2020-05-18
Entry 2020-05-19

Ruby on Rails blog:

Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

CVE-2020-8162: Circumvention of file size limits in ActiveStorage

CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack

CVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

CVE-2020-8166: Ability to forge per-form CSRF tokens given a global CSRF token

CVE-2020-8167: CSRF Vulnerability in rails-ujs

[source]

References

CVE Name CVE-2020-8162
CVE Name CVE-2020-8164
CVE Name CVE-2020-8165
CVE Name CVE-2020-8166
CVE Name CVE-2020-8167
URL https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
URL https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
URL https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
URL https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
URL https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
URL https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.