Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2039 ruby-sprockets update comes to Debian 8 13 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ruby-sprockets Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Read-only Data Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-3760 Reference: ESB-2018.1991 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/07/msg00010.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : ruby-sprockets Version : 2.12.3-1+deb8u1 CVE IDs : CVE-2018-3760 Debian Bug : #901913 It was discovered that there was a discovered a path traversal flaw in ruby-sprockets, a Rack-based asset packaging system. A remote attacker could take advantage of this flaw to read arbitrary files outside an application's root directory via "file://" requests. For Debian 8 "Jessie", this issue has been fixed in ruby-sprockets version 2.12.3-1+deb8u1. We recommend that you upgrade your ruby-sprockets packages. Regards, - - -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `- - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAltHH8cACgkQHpU+J9Qx HlgwoRAAsUimgKPa3g0/nHuYyX+T/J/qnmbtNTHb2fuOyTgR4UD7Ms3iY5DX8dR2 6Dtq1s7IHJmV6MOLkWo1l6hliLtIjJbM9KVaiRSgzQNeamM1Ph5NpLTrWFTYiMKj iyouN6XbWzQQvgJm6riKTpl59R/NW/v6JfiLeDNeXToXA08mq/fyIARiaF+te3nw chkGimjGjjcSsuYQmXU5TbVEdvIkTbDGSc95v644z7pLcz3cYxsoeg5Ar9ypHldd wgf97xWhK8eawIyYRUzpMifkuNM2xa57wiwVdKjoRouBqNAnHrjUxEndiVGJAWWT 7wQbFfMPhNvApwpBbTchR4h6Ux+M3YM/+hEuDUF0v3QsUoORuxMVd4qLjD1nn41j YMKUrLaju7rM/lYI5tJCoU7bAI24wzKE8sjqZvEYzmzUPNLnge+kRb7ap/XK5FUn Ebtp4VFcw6YH/MYbxYpc1gQttdfFAW1sRIX2TzOAp95p5kY5w4ASfUnWLgth5vGr FgNN5liP26kLREBuble746C0SKJkw5exOzmQbbeu/3KXGHNfvYTf4YQPGI44UoXu HfmL0BInK1Mf8+bED7VE2DbS42ujqK9rq6ptRtzba1CC3pYA512nA8O2DAvEKb6p 9PRm9OG8ZEWZhVYrDSWuqYxij5mOD3k8uExWf1BreUP0TVpExwg= =hBjz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW0fs4WaOgq3Tt24GAQj/UA//YWtf1n4JVUo+wGa3iLW8Iuv3OoGFo/zs kfneE7pmdKY/qBhTKamFLa3gX6DIc6al0ecs9sa5pXV85qkVGVu7Q/fgSkfRxRm5 CNs/usZbMzAiW4zA/StZjkltDaNQOXEDzr2vHMuxcp9PouPOO0OlF9g5xyAlU5Wh EDYyJUSDHI4g49Fl4UB35ZtWjJkhmDsus/j8tf+PcK3e6jekIpUMNlyojXn5dz2A V7QgqkauT/x+Xfa12jEjhdBhY99VRbNgohKh77BwOXNtXhRWT0FFSvBHEqlIC90m anrwMxeMPn9oVGa07YMg3qRsNXhGT0VhMqa72P3IJ5u2pYZJqbBquA8e8sfUUpnp jnNlZM1BDsOTEk7myhrsLRDkjScE7LxVzSqY6Q5JGNS6TLMm4+Cd4noamiczE95w knmm0meSt7pPPDyh9Fgkk56deDYDT5auNLwGQlBo/5PLnX4AYJCwEJmUzKgu4o1N PbjTAHAnMV5tjLv2QjNQCHdgvQgEb2rZQn2AT+A7bZlKRtv3TDW0YjojtYxm4g9K EkMb3z2Pc0+jTn2x/NzjT33Tm9wjOa3px7YiuItrGJH+2TVQ31ntVEVBE0kAcL/C S6uRjdL7pH8nm65Qr+PJ0qPTUMuJtnwQIdfJ7/5lBDfwbKn4/yEp3uAH0HHSWdWe oMDK12yL7v4= =DrZr -----END PGP SIGNATURE-----