[SECURITY] [DLA 1739-1] rails security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : rails
Version : 2:4.1.8-1+deb8u5
CVE ID : CVE-2019-5418 CVE-2019-5419
Debian Bug : 924520
John Hawthorn of Github discovered a file content disclosure
vulnerability in Rails, a ruby based web application framework.
Specially crafted accept headers in combination with calls to `render
file:` can cause arbitrary files on the target server to be rendered,
disclosing the file contents.
This vulnerability could also be exploited for a denial-of-service
attack.
For Debian 8 "Jessie", these problems have been fixed in version
2:4.1.8-1+deb8u5.
We recommend that you upgrade your rails packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlygxcpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeR00g/+Nu/1PQI0LAcjuGZD2D6UvJ02cKv6vEJ8kyO3k7upjkGMlXsK+KnXKFrW
H4n1oljsKd0KEKF/5w5eTs299sj1jXBOR/Xtq1AxH1z/RQaULGLqFf0yPF5+aHrJ
0mACiLGPIqwbSymT1nz6Gemt6rXo9b6PUnCxqj2lu5k7t4t9Al1kRwArBr4tzwaW
c3tqAIER8HC/8AkdFFZipVBdIbgi0xDjlpfWbvD/sqdjKgM70JsxxTLOjXZlS03R
wWoRuO+KXosjRaCC/hxsYMb+jg31XULqfVCQnwdihPQuL/sGIsLU4uduG5XIgp2y
GOV3bVqaQNZPZKDGR4obtNUU6CCSntqjL8jS5H7XTjjrgoEOnlC5M3x6EVxtNO8t
6+Pn7acQ3KO40O2iXa5dRdOURaKAVPBg80W+ePEkgjYpBxBDYMDioMlacg7eXlIg
P2poEUFb9DLOrZJi9Qi24VnVuH/QJl7/K++t7Ed2IVLJEgvtLUnm4i4Y86n7kSn0
UKAIKvIwKMfdmyLuuUZzHDWbFXhYiERW7l0LQoqRcGvw14OsGdj+nUb18cIv3EYS
pW8kSGDw3CQbQa+rklxDUg4EvikwcJ0ixuYfYZXoQX5ey6LAK2CxjuqnBNsEOAAO
REu759u1S0m2i9vwg0SHGU9J9ShrMZSPPHFkHGvqM9ZMJp9VlRY=
=cKL4
-----END PGP SIGNATURE-----
Reply to: