[v2.6] ruby-redmine-sprockets: directory traversal vulnerabilities in server.rb (CVE-2014-7819)
Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.
•MLIST:[rubyonrails-security] 20141030 Arbitrary file existence
disclosure in Sprockets (CVE-2014-7819)
•URL:
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ
•MLIST:[rubyonrails-security] 20141030 [AMENDED] [CVE-2014-7819]
Arbitrary file existence disclosure in Sprockets
•URL:
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/doAVp0YaTqY/aHFngBqNBoAJ
(from redmine: issue id 3584, created on 2014-11-27, closed on 2014-12-11)
- Relations:
- parent #3583 (closed)
- Changesets:
- Revision 58bc3dae by Kaarle Ritvanen on 2014-12-10T01:06:53Z:
main/ruby-rails: upgrade to 3.2.21
fixes #2579
fixes #2805
fixes #2808
fixes #2942
fixes #3151
fixes #3474
fixes #3580
fixes #3584
CVE-2013-0334
CVE-2013-4389
CVE-2013-4492
CVE-2013-6414
CVE-2013-6415
CVE-2013-6417
CVE-2014-0081
CVE-2014-0082
CVE-2014-0130
CVE-2014-3482
CVE-2014-3483
CVE-2014-7818
CVE-2014-7819
- Revision 6220de6d by Kaarle Ritvanen on 2014-12-10T01:07:22Z:
main/ruby-redmine-rails: upgrade to 3.2.21
fixes #2805
fixes #2808
fixes #2942
fixes #3151
fixes #3580
fixes #3584
CVE-2013-4389
CVE-2013-6414
CVE-2013-6415
CVE-2013-6417
CVE-2014-0081
CVE-2014-0082
CVE-2014-0130
CVE-2014-3482
CVE-2014-3483
CVE-2014-7818
CVE-2014-7819
- Revision fefee117 by Kaarle Ritvanen on 2014-12-10T01:07:22Z:
main/ruby-sprockets: upgrade to 2.2.3 (CVE-2014-7819)
fixes #3584