ruby2.2-rubygem-actionpack-4_2-4.2.7.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10332 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby2.2-rubygem-actionpack-4_2-4.2.7.1-1.1 on GA media These are all security issues fixed in the ruby2.2-rubygem-actionpack-4_2-4.2.7.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10332 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10332 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2014-4671/ SUSE CVE CVE-2014-4671 page https://www.suse.com/security/cve/CVE-2014-7818/ SUSE CVE CVE-2014-7818 page https://www.suse.com/security/cve/CVE-2014-7829/ SUSE CVE CVE-2014-7829 page https://www.suse.com/security/cve/CVE-2016-2098/ SUSE CVE CVE-2016-2098 page openSUSE Tumbleweed ruby2.2-rubygem-actionpack-4_2-4.2.7.1-1.1 ruby2.2-rubygem-actionpack-5_0-5.0.0.1-1.1 ruby2.2-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 ruby2.2-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 ruby2.3-rubygem-actionpack-4_2-4.2.7.1-1.1 ruby2.3-rubygem-actionpack-5_0-5.0.0.1-1.1 ruby2.3-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 ruby2.3-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 ruby2.2-rubygem-actionpack-4_2-4.2.7.1-1.1 as a component of openSUSE Tumbleweed ruby2.2-rubygem-actionpack-5_0-5.0.0.1-1.1 as a component of openSUSE Tumbleweed ruby2.2-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 as a component of openSUSE Tumbleweed ruby2.2-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 as a component of openSUSE Tumbleweed ruby2.3-rubygem-actionpack-4_2-4.2.7.1-1.1 as a component of openSUSE Tumbleweed ruby2.3-rubygem-actionpack-5_0-5.0.0.1-1.1 as a component of openSUSE Tumbleweed ruby2.3-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 as a component of openSUSE Tumbleweed ruby2.3-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 as a component of openSUSE Tumbleweed Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. CVE-2014-4671 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4671.html CVE-2014-4671 https://bugzilla.suse.com/886454 SUSE Bug 886454 https://bugzilla.suse.com/891688 SUSE Bug 891688 Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence. CVE-2014-7818 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-7818.html CVE-2014-7818 https://bugzilla.suse.com/903662 SUSE Bug 903662 https://bugzilla.suse.com/905727 SUSE Bug 905727 Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818. CVE-2014-7829 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-7829.html CVE-2014-7829 https://bugzilla.suse.com/905727 SUSE Bug 905727 Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. CVE-2016-2098 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.2-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-5_0-5.0.0.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-doc-4_2-4.2.7.1-1.1 openSUSE Tumbleweed:ruby2.3-rubygem-actionpack-doc-5_0-5.0.0.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2098.html CVE-2016-2098 https://bugzilla.suse.com/968849 SUSE Bug 968849 https://bugzilla.suse.com/969943 SUSE Bug 969943 https://bugzilla.suse.com/993313 SUSE Bug 993313