ruby2.7-rubygem-activemodel-5.2-5.2.6-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11324 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby2.7-rubygem-activemodel-5.2-5.2.6-1.2 on GA media These are all security issues fixed in the ruby2.7-rubygem-activemodel-5.2-5.2.6-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11324 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11324 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-16782/ SUSE CVE CVE-2019-16782 page https://www.suse.com/security/cve/CVE-2019-5418/ SUSE CVE CVE-2019-5418 page openSUSE Tumbleweed ruby2.7-rubygem-activemodel-5.2-5.2.6-1.2 ruby3.0-rubygem-activemodel-5.2-5.2.6-1.2 ruby2.7-rubygem-activemodel-5.2-5.2.6-1.2 as a component of openSUSE Tumbleweed ruby3.0-rubygem-activemodel-5.2-5.2.6-1.2 as a component of openSUSE Tumbleweed There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. CVE-2019-16782 openSUSE Tumbleweed:ruby2.7-rubygem-activemodel-5.2-5.2.6-1.2 openSUSE Tumbleweed:ruby3.0-rubygem-activemodel-5.2-5.2.6-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-16782.html CVE-2019-16782 https://bugzilla.suse.com/1159548 SUSE Bug 1159548 https://bugzilla.suse.com/1183174 SUSE Bug 1183174 There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed. CVE-2019-5418 openSUSE Tumbleweed:ruby2.7-rubygem-activemodel-5.2-5.2.6-1.2 openSUSE Tumbleweed:ruby3.0-rubygem-activemodel-5.2-5.2.6-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-5418.html CVE-2019-5418 https://bugzilla.suse.com/1129272 SUSE Bug 1129272