[SECURITY] [DLA 2251-1] rails security update
-----BEGIN PGP SIGNED MESSAGE-----
Package : rails
Version : 2:4.1.8-1+deb8u7
CVE ID : CVE-2020-8164 CVE-2020-8165
Two vulnerabilities were found in Ruby on Rails, a MVC ruby-based
framework geared for web application development, which could lead to
remote code execution and untrusted user input usage, depending on the
Strong parameters bypass vector in ActionPack. In some cases user
supplied information can be inadvertently leaked from Strong
Parameters. Specifically the return value of `each`, or
`each_value`, or `each_pair` will return the underlying
"untrusted" hash of data that was read from the parameters.
Applications that use this return value may be inadvertently use
untrusted user input.
Potentially unintended unmarshalling of user-provided objects in
MemCacheStore. There is potentially unexpected behaviour in the
MemCacheStore where, when untrusted user input is written to the
cache store using the `raw: true` parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object
instead of plain text. Unmarshalling of untrusted user input can
have impact up to and including RCE. At a minimum, this
vulnerability allows an attacker to inject untrusted Ruby objects
into a web application.
In addition to upgrading to the latest versions of Rails,
developers should ensure that whenever they are calling
`Rails.cache.fetch` they are using consistent values of the `raw`
parameter for both reading and writing.
For Debian 8 "Jessie", these problems have been fixed in version
We recommend that you upgrade your rails packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----