Security update for rubygem-actionpack-4_1 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:0858-1 Final 1 1 2016-03-22T16:21:44Z current 2016-03-22T16:21:44Z 2016-03-22T16:21:44Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-actionpack-4_1 This update for rubygem-actionpack-4_1 fixes the following issues: - CVE-2016-0751: Object Leak DoS (bsc#963331) - CVE-2015-7581: unbounded memory growth DoS via wildcard controller routes (bsc#963335) - CVE-2016-0752: directory traversal and information leak in Action View (bsc#963332) - CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller (bsc#963329) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleclo50sp3-rubygem-actionpack-4_1-12468 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20160858-1/ Link for SUSE-SU-2016:0858-1 https://lists.suse.com/pipermail/sle-security-updates/2016-March/001964.html E-Mail link for SUSE-SU-2016:0858-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/963329 SUSE Bug 963329 https://bugzilla.suse.com/963331 SUSE Bug 963331 https://bugzilla.suse.com/963332 SUSE Bug 963332 https://bugzilla.suse.com/963335 SUSE Bug 963335 https://www.suse.com/security/cve/CVE-2015-7576/ SUSE CVE CVE-2015-7576 page https://www.suse.com/security/cve/CVE-2015-7581/ SUSE CVE CVE-2015-7581 page https://www.suse.com/security/cve/CVE-2016-0751/ SUSE CVE CVE-2016-0751 page https://www.suse.com/security/cve/CVE-2016-0752/ SUSE CVE CVE-2016-0752 page SUSE OpenStack Cloud 5 ruby2.1-rubygem-actionpack-4_1-4.1.9-9.1 ruby2.1-rubygem-actionpack-4_1-4.1.9-9.1 as a component of SUSE OpenStack Cloud 5 The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. CVE-2015-7576 SUSE OpenStack Cloud 5:ruby2.1-rubygem-actionpack-4_1-4.1.9-9.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160858-1/ https://www.suse.com/security/cve/CVE-2015-7576.html CVE-2015-7576 https://bugzilla.suse.com/963329 SUSE Bug 963329 https://bugzilla.suse.com/963563 SUSE Bug 963563 https://bugzilla.suse.com/970715 SUSE Bug 970715 actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route. CVE-2015-7581 SUSE OpenStack Cloud 5:ruby2.1-rubygem-actionpack-4_1-4.1.9-9.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160858-1/ https://www.suse.com/security/cve/CVE-2015-7581.html CVE-2015-7581 https://bugzilla.suse.com/963335 SUSE Bug 963335 actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. CVE-2016-0751 SUSE OpenStack Cloud 5:ruby2.1-rubygem-actionpack-4_1-4.1.9-9.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160858-1/ https://www.suse.com/security/cve/CVE-2016-0751.html CVE-2016-0751 https://bugzilla.suse.com/963331 SUSE Bug 963331 https://bugzilla.suse.com/963627 SUSE Bug 963627 Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. CVE-2016-0752 SUSE OpenStack Cloud 5:ruby2.1-rubygem-actionpack-4_1-4.1.9-9.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160858-1/ https://www.suse.com/security/cve/CVE-2016-0752.html CVE-2016-0752 https://bugzilla.suse.com/963332 SUSE Bug 963332 https://bugzilla.suse.com/963608 SUSE Bug 963608 https://bugzilla.suse.com/968850 SUSE Bug 968850