ALT-BU-2024-7941-1
Branch sisyphus update bulletin.
Closed bugs
PATH=$PATH:/var/cache/ruby/gemie/bin:/usr/lib/ruby/bin
Package gem-nokogiri updated to version 1.16.4-alt1 for branch sisyphus in task 344821.
Closed bugs
gem-nokogiri-devel: зависимость от java-devel
Closed vulnerabilities
Modified: 2025-01-09
CVE-2023-23913
There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263
- https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
- https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
- https://security.netapp.com/advisory/ntap-20240605-0007/
- https://www.debian.org/security/2023/dsa-5389
Modified: 2025-01-10
CVE-2023-28362
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.
- https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
- https://github.com/advisories/GHSA-4g8v-vg43-wpgf
- https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
- https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
Modified: 2025-02-15
CVE-2023-38037
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current `umask` settings, meaning that it's possible for other users on the same system to read the contents of the temporary file. Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it. All users running an affected release should either upgrade or use one of the workarounds immediately.
Modified: 2025-02-14
CVE-2024-26144
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.
- https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
- https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
- https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
- https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
- https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3
- https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3
- https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g
- https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml
- https://security.netapp.com/advisory/ntap-20240510-0013/
- https://security.netapp.com/advisory/ntap-20240510-0013/
Package ruby-gnome2 updated to version 4.2.0-alt1.2 for branch sisyphus in task 344821.
Closed bugs
Не запускается программа alexandria (LoadError)
Closed vulnerabilities
Modified: 2025-02-25
CVE-2024-3727
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
- RHSA-2024:4850
- RHSA-2024:4960
- RHSA-2024:5258
- RHSA-2024:5951
- RHSA-2024:6054
- RHSA-2024:6122
- RHSA-2024:6708
- RHSA-2024:6818
- RHSA-2024:6824
- RHSA-2024:7164
- RHSA-2024:7174
- RHSA-2024:7182
- RHSA-2024:7187
- RHSA-2024:7922
- RHSA-2024:7941
- RHSA-2024:8260
- RHSA-2024:8425
- RHSA-2024:9097
- RHSA-2024:9098
- RHSA-2024:9102
- RHSA-2024:9960
- https://access.redhat.com/security/cve/CVE-2024-3727
- RHBZ#2274767
- RHSA-2024:0045
- RHSA-2024:3718
- RHSA-2024:4159
- RHSA-2024:4613
- RHSA-2024:4613
- RHSA-2024:4159
- RHSA-2024:0045
- RHBZ#2274767
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HEYS34N55G7NOQZKNEXZKQVNDGEICCD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6B37TXOKTKDBE2V26X2NSP7JKNMZOFVP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLND3YDQQRWVRIUPL2G5UKXP5L3VSBBT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTOMYERG5ND4QFDHC4ZSGCED3T3ESRSC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FBZQ2ZRMFEUQ35235B2HWPSXGDCBZHFV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFXMF3VVKIZN7ZMB7PKZCSWV6MOMTGMQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFVSMR7TNLO2KPWJSW4CF64C2QMQXCIN/
- https://access.redhat.com/security/cve/CVE-2024-3727
Closed vulnerabilities
Modified: 2025-02-25
CVE-2024-3727
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
- RHSA-2024:4850
- RHSA-2024:4960
- RHSA-2024:5258
- RHSA-2024:5951
- RHSA-2024:6054
- RHSA-2024:6122
- RHSA-2024:6708
- RHSA-2024:6818
- RHSA-2024:6824
- RHSA-2024:7164
- RHSA-2024:7174
- RHSA-2024:7182
- RHSA-2024:7187
- RHSA-2024:7922
- RHSA-2024:7941
- RHSA-2024:8260
- RHSA-2024:8425
- RHSA-2024:9097
- RHSA-2024:9098
- RHSA-2024:9102
- RHSA-2024:9960
- https://access.redhat.com/security/cve/CVE-2024-3727
- RHBZ#2274767
- RHSA-2024:0045
- RHSA-2024:3718
- RHSA-2024:4159
- RHSA-2024:4613
- RHSA-2024:4613
- RHSA-2024:4159
- RHSA-2024:0045
- RHBZ#2274767
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HEYS34N55G7NOQZKNEXZKQVNDGEICCD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6B37TXOKTKDBE2V26X2NSP7JKNMZOFVP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLND3YDQQRWVRIUPL2G5UKXP5L3VSBBT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTOMYERG5ND4QFDHC4ZSGCED3T3ESRSC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FBZQ2ZRMFEUQ35235B2HWPSXGDCBZHFV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFXMF3VVKIZN7ZMB7PKZCSWV6MOMTGMQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFVSMR7TNLO2KPWJSW4CF64C2QMQXCIN/
- https://access.redhat.com/security/cve/CVE-2024-3727
Closed bugs
rvm-devel: broken preinstall scriptlet