Security update for rubygem-actionpack-4_2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:0915-1 Final 1 1 2019-04-09T09:21:14Z current 2019-04-09T09:21:14Z 2019-04-09T09:21:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-actionpack-4_2 This update for rubygem-actionpack-4_2 fixes the following issues: Security issues fixed: - CVE-2019-5418: Fixed a file content disclosure vulnerability in Action View which could be exploited via specially crafted accept headers in combination with calls to render file (bsc#1129272). - CVE-2019-5419: Fixed a resource exhaustion issue in Action View which could make the server unable to process requests (bsc#1129271). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-915,SUSE-OpenStack-Cloud-7-2019-915,SUSE-OpenStack-Cloud-Crowbar-8-2019-915,SUSE-Storage-4-2019-915 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20190915-1/ Link for SUSE-SU-2019:0915-1 https://www.suse.com/support/update/announcement/2019/suse-su-20190915-1.html E-Mail link for SUSE-SU-2019:0915-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1129271 SUSE Bug 1129271 https://bugzilla.suse.com/1129272 SUSE Bug 1129272 https://www.suse.com/security/cve/CVE-2019-5418/ SUSE CVE CVE-2019-5418 page https://www.suse.com/security/cve/CVE-2019-5419/ SUSE CVE CVE-2019-5419 page SUSE Enterprise Storage 4 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud Crowbar 8 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.6.1 ruby2.1-rubygem-actionpack-doc-4_2-4.2.9-7.6.1 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.6.1 as a component of SUSE Enterprise Storage 4 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.6.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-actionpack-4_2-4.2.9-7.6.1 as a component of SUSE OpenStack Cloud Crowbar 8 There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed. CVE-2019-5418 SUSE Enterprise Storage 4:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.6.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.6.1 SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.6.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190915-1/ https://www.suse.com/security/cve/CVE-2019-5418.html CVE-2019-5418 https://bugzilla.suse.com/1129272 SUSE Bug 1129272 There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive. CVE-2019-5419 SUSE Enterprise Storage 4:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.6.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.6.1 SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-actionpack-4_2-4.2.9-7.6.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190915-1/ https://www.suse.com/security/cve/CVE-2019-5419.html CVE-2019-5419 https://bugzilla.suse.com/1129271 SUSE Bug 1129271 https://bugzilla.suse.com/1203810 SUSE Bug 1203810