Описание
Security update for rubygem-actionpack-3_2
This update for rubygem-actionpack-3_2 fixes the following issues:
-
CVE-2016-2097: rubygem-actionview: Possible Information Leak Vulnerability in Action View. (bsc#968850)
-
CVE-2016-2098: rubygem-actionpack: Possible remote code execution vulnerability in Action Pack (bsc#968849)
Список пакетов
SUSE Lifecycle Management Server 1.3
SUSE Linux Enterprise Software Development Kit 11 SP4
SUSE Studio Onsite 1.3
SUSE WebYast 1.3
Ссылки
- Link for SUSE-SU-2016:0967-1
- E-Mail link for SUSE-SU-2016:0967-1
- SUSE Security Ratings
- SUSE Bug 968849
- SUSE Bug 968850
- SUSE CVE CVE-2016-2097 page
- SUSE CVE CVE-2016-2098 page
Описание
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.
Затронутые продукты
Ссылки
- CVE-2016-2097
- SUSE Bug 963332
- SUSE Bug 968850
Описание
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
Затронутые продукты
Ссылки
- CVE-2016-2098
- SUSE Bug 968849
- SUSE Bug 969943
- SUSE Bug 993313