ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14067-1 Final 1 1 2024-06-24T00:00:00Z current 2024-06-24T00:00:00Z 2024-06-24T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 on GA media These are all security issues fixed in the ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14067 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-23633/ SUSE CVE CVE-2022-23633 page https://www.suse.com/security/cve/CVE-2023-22792/ SUSE CVE CVE-2023-22792 page https://www.suse.com/security/cve/CVE-2023-22795/ SUSE CVE CVE-2023-22795 page https://www.suse.com/security/cve/CVE-2023-22797/ SUSE CVE CVE-2023-22797 page https://www.suse.com/security/cve/CVE-2024-26143/ SUSE CVE CVE-2024-26143 page https://www.suse.com/security/cve/CVE-2024-28103/ SUSE CVE CVE-2024-28103 page openSUSE Tumbleweed ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 as a component of openSUSE Tumbleweed Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used. CVE-2022-23633 openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23633.html CVE-2022-23633 https://bugzilla.suse.com/1196182 SUSE Bug 1196182 A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. CVE-2023-22792 openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-22792.html CVE-2023-22792 https://bugzilla.suse.com/1207455 SUSE Bug 1207455 A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. CVE-2023-22795 openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-22795.html CVE-2023-22795 https://bugzilla.suse.com/1207451 SUSE Bug 1207451 An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability. CVE-2023-22797 openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-22797.html CVE-2023-22797 https://bugzilla.suse.com/1207449 SUSE Bug 1207449 Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1. CVE-2024-26143 openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-26143.html CVE-2024-26143 https://bugzilla.suse.com/1220522 SUSE Bug 1220522 Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3. CVE-2024-28103 openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-28103.html CVE-2024-28103 https://bugzilla.suse.com/1225996 SUSE Bug 1225996