Security update for rubygem-actionpack-3_2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0835-1 Final 1 1 2016-03-19T11:57:28Z current 2016-03-19T11:57:28Z 2016-03-19T11:57:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-actionpack-3_2 This update for rubygem-actionpack-3_2 fixes the following issues: - CVE-2016-2097: rubygem-actionview: Possible Information Leak Vulnerability in Action View. (boo#968850) - CVE-2016-2098: rubygem-actionpack: Possible remote code execution vulnerability in Action Pack (boo#968849) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html E-Mail link for openSUSE-SU-2016:0835-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 rubygem-actionpack-3_2-3.2.17-3.10.1 rubygem-actionpack-3_2-doc-3.2.17-3.10.1 rubygem-actionpack-3_2-3.2.17-3.10.1 as a component of openSUSE 13.2 rubygem-actionpack-3_2-doc-3.2.17-3.10.1 as a component of openSUSE 13.2 Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752. CVE-2016-2097 openSUSE 13.2:rubygem-actionpack-3_2-3.2.17-3.10.1 openSUSE 13.2:rubygem-actionpack-3_2-doc-3.2.17-3.10.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html https://www.suse.com/security/cve/CVE-2016-2097.html CVE-2016-2097 https://bugzilla.suse.com/963332 SUSE Bug 963332 https://bugzilla.suse.com/968850 SUSE Bug 968850 Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. CVE-2016-2098 openSUSE 13.2:rubygem-actionpack-3_2-3.2.17-3.10.1 openSUSE 13.2:rubygem-actionpack-3_2-doc-3.2.17-3.10.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html https://www.suse.com/security/cve/CVE-2016-2098.html CVE-2016-2098 https://bugzilla.suse.com/968849 SUSE Bug 968849