[v2.7] ruby-actionpack: multiple fixes (CVE-2014-0081 CVE-2014-0082 CVE-2014-0130)
CVE-2014-0130:
Directory traversal vulnerability in
actionpack/lib/abstract_controller/base.rb in the implicit-render
implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and
4.1.x before 4.1.1, when certain route globbing configurations are
enabled, allows remote attackers to read arbitrary files via a crafted
request.
•MLIST:[rubyonrails-security] 20140506 [CVE-2014-0130] Directory
Traversal Vulnerability With Certain Route Configurations
•URL:
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW\_PDBSG3AJ
(from redmine: issue id 2943, created on 2014-05-23, closed on 2015-05-22)
- Relations:
- parent #2940 (closed)
- Changesets:
- Revision faa1f8ec by Natanael Copa on 2014-06-25T15:10:43Z:
main/ruby-actionpack: upgrade to 4.0.5
fixes #2943