Your message dated Mon, 28 Apr 2025 13:00:06 +0530
with message-id <c5e79b05-aea3-4db2-a52c-dbcb73c57...@debian.org>
and subject line Re: Bug#1024274: rails: CVE-2022-3704: XSS within Route Error
Page
has caused the Debian Bug report #1024274,
regarding rails: CVE-2022-3704: XSS within Route Error Page
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1024274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024274
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: rails
Version: 2:6.1.7+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/rails/rails/issues/46244
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for rails.
CVE-2022-3704[0]:
| A vulnerability classified as problematic has been found in Ruby on
| Rails. This affects an unknown part of the file actionpack/lib/action_
| dispatch/middleware/templates/routes/_table.html.erb. The manipulation
| leads to cross site scripting. It is possible to initiate the attack
| remotely. The name of the patch is
| be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a
| patch to fix this issue. The associated identifier of this
| vulnerability is VDB-212319.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-3704
https://www.cve.org/CVERecord?id=CVE-2022-3704
[1] https://github.com/rails/rails/issues/46244
[2]
https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
On Sun, 26 Mar 2023 08:35:26 +0200 Lucas Nussbaum <lu...@debian.org> wrote:
It was fixed upstream in the 6.1 stable branch, but NOT in the 6.1.7.X
security releases. See
https://github.com/rails/rails/commit/1593b13665a62a49a4a5e15992e347227ea2cfdd
I think that we should stick with the rails team analysis on this CVE
and not backport the fix.
rails 7.2 should contain the fix, closing.
https://github.com/rails/rails/pull/46269#issuecomment-1409768103
OpenPGP_0x8F53E0193B294B75.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
