[SECURITY] [DLA 4383-1] rails security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4383-1] rails security update
From: rouca@debian.org
Date: Tue, 25 Nov 2025 20:57:27 +0100
Message-id: <[🔎] 9faeed1b64ebab297f9d48e2977418bd@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4383-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
November 25, 2025                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : rails
Version        : 2:6.0.3.7+dfsg-2+deb11u3
CVE ID         : CVE-2022-44566 CVE-2023-28362 CVE-2023-38037 CVE-2024-41128 
                 CVE-2024-47887 CVE-2024-47888 CVE-2024-47889 CVE-2024-54133
Debian Bug     : 1030050 1051057 1051058 1085376 1089755

rails a popular server side application framework was affected by multiple
vulnerabilities.

CVE-2022-44566

    Given a value outside the range for a 64bit signed integer type
    PostgreSQL will treat the column type as numeric. Comparing
    integer values against numeric values can result in a slow
    sequential scan.
    This behavior is configurable via
    ActiveRecord::Base.raise_int_wider_than_64bit which
    defaults to true.

CVE-2023-28362

    The redirect_to method in Rails allows provided values
    to contain characters which are not legal in an HTTP header
    value. This results in the potential for downstream services
    which enforce RFC compliance on HTTP response headers to remove
    the assigned Location header.

CVE-2023-38037

    ActiveSupport::EncryptedFile writes contents that will be
    encrypted to a temporary file. The temporary file's permissions
    are defaulted to the user's current `umask` settings, meaning
    that it's possible for other users on the same system to read
    the contents of the temporary file. Attackers that have access
    to the file system could possibly read the contents of this
    temporary file while a user is editing it

CVE-2024-41128

    Action Pack is a framework for handling and responding
    to web requests. There is a possible ReDoS vulnerability in
    the query parameter filtering routines of Action Dispatch.
    Carefully crafted query parameters can cause query parameter
    filtering to take an unexpected amount of time, possibly
    resulting in a DoS vulnerability.

CVE-2024-47887

    Action Pack is a framework for handling and responding
    to web requests. There is a possible ReDoS vulnerability in
    Action Controller's HTTP Token authentication.
    For applications using HTTP Token authentication via
    `authenticate_or_request_with_http_token` or similar,
    a carefully crafted header may cause header parsing
    to take an unexpected amount of time, possibly resulting
    in a DoS vulnerability

CVE-2024-47888

    Action Text brings rich text content and editing to Rails.
    There is a possible ReDoS vulnerability in the
    `plain_text_for_blockquote_node helper` in Action Text.
    Carefully crafted text can cause the `plain_text_for_blockquote_node`
    helper to take an unexpected amount of time,
    possibly resulting in a DoS vulnerability.

CVE-2024-47889

    Action Mailer is a framework for designing email service layers.
    There is a possible ReDoS vulnerability in the block_format helper
    in Action Mailer. Carefully crafted text can cause the block_format
    helper to take an unexpected amount of time, possibly
    resulting in a DoS vulnerability.

CVE-2024-54133

    Action Pack is a framework for handling and responding
    to web requests. There is a possible Cross Site Scripting (XSS)
    vulnerability in the `content_security_policy` helper.
    Applications which set Content-Security-Policy (CSP) headers dynamically
    from untrusted user input may be vulnerable to carefully crafted
    inputs being able to inject new directives into the CSP.
    This could lead to a bypass of the CSP and its protection
    against XSS and other attacks

For Debian 11 bullseye, these problems have been fixed in version
2:6.0.3.7+dfsg-2+deb11u3.

We recommend that you upgrade your rails packages.

For the detailed security status of rails please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rails

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkmCicACgkQADoaLapB
CF8j3g//SszHT8x2DlPu2BYEbdt62xqu/LpZdxgPrLpT1RPHFSxdD+kzsrxZdMcR
7Xcls7dIGCYri4aUf2cNdeW/MR+j/xYWSMp4F70NzgUQv+T9vaOzPCpR152CyJNq
VeuqArs/qldY8B2x3XJEWejsN3oomvX/zDL/GqRrNkagi5szb+Sa3w/va8ru73o6
txErhV6LTtdPkiMaev3DKNKMAVAerYk2AGhHa9/5eSp6plknMAXol5ktjGj10ocs
17LFf00/mG7dVuxo2pXibxW8moPFlaeDxRfb+HEL5fYwg2Etdj7fqTP2d5qRsjOA
GfCS7Bb79NjOAJJJ/dWCi7rUwrsbo/PfHJUGMEMX4lyshQmqjrlnC8AQad3WLTd7
kQAokUbko295w3L5P/baMyog1lbrhpIITObmQXhNEsxLVtxn/RH2T0AZTe/ly4j+
L2E2gQ3u6Y/KwHQDbsuZDf2pDRcCX3PvxMCRuf7i5QbZVXFoTKOE6WLeANM5E1Yf
XUjngGARRic3QkJeuYSUkfc7uQ37vrQzCUmwYSFr3ACoUjSb6GzfHGiDHNCbL1qy
+S+uuF9M+KKX5bFe5UvdbIyr52T7JnVihelTzsIZg/i6ScM8InXdcxdDYy2RdILU
PMViYLvovZwCrHHDYCAJ24bxZuPDhuMhNBwGQe72yGgQXOMQ19c=
=atwX
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4380-1] cups-filters security update
Next by Date: [SECURITY] [DLA 4384-1] samba security update
Previous by thread: [SECURITY] [DLA 4380-1] cups-filters security update
Next by thread: [SECURITY] [DLA 4384-1] samba security update
Index(es):
- Date
- Thread