[v2.6] ruby-actionpack: arbitrary file existence disclosure (CVE-2014-7818)
There is an information leak vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2014-7818.
Versions Affected: >= 3.0.0
Not affected: <= 3.0.0
Fixed Versions: 3.2.20, 4.0.11, 4.1.7, 4.2.0.beta3
Workarounds
—————-
To work around this issue, set config.serve_static_assets = false in
an initializer. This work around will not be
possible in all hosting environments and upgrading is advised.
Patches
———-
To aid users who aren’t able to upgrade immediately patches for the two
supported release series are provided. They are in git-am format and
consist of a single changeset.
See the link below.
References:
CONFIRM:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7818
PATCHES: http://seclists.org/oss-sec/2014/q4/474
(from redmine: issue id 3580, created on 2014-11-26, closed on 2014-12-11)
- Relations:
- parent #3579 (closed)
- Changesets:
- Revision 58bc3dae by Kaarle Ritvanen on 2014-12-10T01:06:53Z:
main/ruby-rails: upgrade to 3.2.21
fixes #2579
fixes #2805
fixes #2808
fixes #2942
fixes #3151
fixes #3474
fixes #3580
fixes #3584
CVE-2013-0334
CVE-2013-4389
CVE-2013-4492
CVE-2013-6414
CVE-2013-6415
CVE-2013-6417
CVE-2014-0081
CVE-2014-0082
CVE-2014-0130
CVE-2014-3482
CVE-2014-3483
CVE-2014-7818
CVE-2014-7819
- Revision 6220de6d by Kaarle Ritvanen on 2014-12-10T01:07:22Z:
main/ruby-redmine-rails: upgrade to 3.2.21
fixes #2805
fixes #2808
fixes #2942
fixes #3151
fixes #3580
fixes #3584
CVE-2013-4389
CVE-2013-6414
CVE-2013-6415
CVE-2013-6417
CVE-2014-0081
CVE-2014-0082
CVE-2014-0130
CVE-2014-3482
CVE-2014-3483
CVE-2014-7818
CVE-2014-7819