exploitDog

SUSE-SU-2022:2108-1

Опубликовано: 16 июн. 2022

Источник: suse-cvrf

Описание

Security update for rubygem-actionpack-5_1, rubygem-activesupport-5_1

This update for rubygem-actionpack-5_1 and rubygem-activesupport-5_1 fixes the following issues:

CVE-2021-22904: Fixed possible DoS Vulnerability in Action Controller Token Authentication (bsc#1185780)
CVE-2022-23633: Fixed possible exposure of information vulnerability in Action Pack (bsc#1196182)

Список пакетов

Image SLES15-SP1-SAP-Azure-LI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP2-SAP-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP2-SAP-BYOS-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP2-SAP-BYOS-EC2-HVM

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP2-SAP-BYOS-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP2-SAP-EC2-HVM

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP2-SAP-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP3-SAP-Azure-LI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP3-SAP-BYOS-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP3-SAP-BYOS-EC2-HVM

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP3-SAP-BYOS-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Azure-LI-BYOS

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Azure-LI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Azure-VLI-BYOS

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-BYOS

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-BYOS-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-BYOS-EC2

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-BYOS-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Hardened

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Hardened-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Hardened-BYOS

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Hardened-BYOS-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Hardened-BYOS-EC2

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Hardened-BYOS-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Hardened-EC2

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP4-SAP-Hardened-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-Azure-3P

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-Azure-LI-BYOS

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-Azure-LI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-Azure-VLI-BYOS

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-BYOS-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-BYOS-EC2

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-BYOS-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-Hardened-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-Hardened-BYOS-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-Hardened-BYOS-EC2

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-Hardened-BYOS-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-Hardened-EC2

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP5-SAP-Hardened-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Azure-LI-BYOS

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Azure-LI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Azure-VLI-BYOS

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Azure-VLI-BYOS-Production

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-BYOS

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-BYOS-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-BYOS-EC2

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-BYOS-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Hardened

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Hardened-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Hardened-BYOS

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Hardened-BYOS-Azure

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Hardened-BYOS-EC2

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Hardened-BYOS-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Hardened-EC2

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP6-SAP-Hardened-GCE

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

SUSE Linux Enterprise High Availability Extension 15

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

SUSE Linux Enterprise High Availability Extension 15 SP1

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

SUSE Linux Enterprise High Availability Extension 15 SP2

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

SUSE Linux Enterprise High Availability Extension 15 SP3

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

SUSE Linux Enterprise High Availability Extension 15 SP4

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

openSUSE Leap 15.3

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

ruby2.5-rubygem-activesupport-doc-5_1-5.1.4-150000.3.6.1

openSUSE Leap 15.4

ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-150000.3.12.1

ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

ruby2.5-rubygem-activesupport-doc-5_1-5.1.4-150000.3.6.1

Ссылки

https://www.suse.com/support/update/announcement/2022/suse-su-20222108-1/
Link for SUSE-SU-2022:2108-1
https://lists.suse.com/pipermail/sle-security-updates/2022-June/011300.html
E-Mail link for SUSE-SU-2022:2108-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1185780
SUSE Bug 1185780
https://bugzilla.suse.com/1196182
SUSE Bug 1196182
https://www.suse.com/security/cve/CVE-2021-22904/
SUSE CVE CVE-2021-22904 page
https://www.suse.com/security/cve/CVE-2022-23633/
SUSE CVE CVE-2022-23633 page

Описание

The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.

Затронутые продукты

Image SLES15-SP1-SAP-Azure-LI-BYOS-Production:ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

Image SLES15-SP1-SAP-Azure-LI-BYOS-Production:ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production:ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production:ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-22904.html
CVE-2021-22904
https://bugzilla.suse.com/1185780
SUSE Bug 1185780

Описание

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

Затронутые продукты

Image SLES15-SP1-SAP-Azure-LI-BYOS-Production:ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

Image SLES15-SP1-SAP-Azure-LI-BYOS-Production:ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production:ruby2.5-rubygem-actionpack-5_1-5.1.4-150000.3.12.1

Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production:ruby2.5-rubygem-activesupport-5_1-5.1.4-150000.3.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-23633.html
CVE-2022-23633
https://bugzilla.suse.com/1196182
SUSE Bug 1196182

Уязвимость SUSE-SU-2022:2108-1