Security update for rubygem-actionview-4_2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:2140-1 Final 1 1 2020-08-06T09:05:11Z current 2020-08-06T09:05:11Z 2020-08-06T09:05:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-actionview-4_2 This update for rubygem-actionview-4_2 fixes the following issues: - Fixed a potential remote code execution of user-provided local names (bsc#1173144, CVE-2020-8163). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-2140,SUSE-OpenStack-Cloud-6-LTSS-2020-2140,SUSE-OpenStack-Cloud-7-2020-2140,SUSE-OpenStack-Cloud-Crowbar-8-2020-2140,SUSE-OpenStack-Cloud-Crowbar-9-2020-2140 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20202140-1/ Link for SUSE-SU-2020:2140-1 https://lists.suse.com/pipermail/sle-security-updates/2020-August/007231.html E-Mail link for SUSE-SU-2020:2140-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1173144 SUSE Bug 1173144 https://www.suse.com/security/cve/CVE-2020-8163/ SUSE CVE CVE-2020-8163 page SUSE OpenStack Cloud 6-LTSS SUSE OpenStack Cloud 7 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 ruby2.1-rubygem-actionview-4_2-4.2.9-9.9.1 ruby2.1-rubygem-actionview-doc-4_2-4.2.9-9.9.1 ruby2.1-rubygem-activesupport-4_2-4.2.9-7.6.1 ruby2.1-rubygem-activesupport-doc-4_2-4.2.9-7.6.1 ruby2.1-rubygem-actionview-4_2-4.2.9-9.9.1 as a component of SUSE OpenStack Cloud 6-LTSS ruby2.1-rubygem-activesupport-4_2-4.2.9-7.6.1 as a component of SUSE OpenStack Cloud 6-LTSS ruby2.1-rubygem-actionview-4_2-4.2.9-9.9.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-activesupport-4_2-4.2.9-7.6.1 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-actionview-4_2-4.2.9-9.9.1 as a component of SUSE OpenStack Cloud Crowbar 8 ruby2.1-rubygem-activesupport-4_2-4.2.9-7.6.1 as a component of SUSE OpenStack Cloud Crowbar 8 ruby2.1-rubygem-actionview-4_2-4.2.9-9.9.1 as a component of SUSE OpenStack Cloud Crowbar 9 ruby2.1-rubygem-activesupport-4_2-4.2.9-7.6.1 as a component of SUSE OpenStack Cloud Crowbar 9 The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. CVE-2020-8163 SUSE OpenStack Cloud 6-LTSS:ruby2.1-rubygem-actionview-4_2-4.2.9-9.9.1 SUSE OpenStack Cloud 6-LTSS:ruby2.1-rubygem-activesupport-4_2-4.2.9-7.6.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-actionview-4_2-4.2.9-9.9.1 SUSE OpenStack Cloud 7:ruby2.1-rubygem-activesupport-4_2-4.2.9-7.6.1 SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-actionview-4_2-4.2.9-9.9.1 SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-activesupport-4_2-4.2.9-7.6.1 SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-actionview-4_2-4.2.9-9.9.1 SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-activesupport-4_2-4.2.9-7.6.1 important 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20202140-1/ https://www.suse.com/security/cve/CVE-2020-8163.html CVE-2020-8163 https://bugzilla.suse.com/1173144 SUSE Bug 1173144