From Salvatore Bonaccorso@21:1/5 to All on Thu Feb 29 23:10:06 2024
Source: rails
Version: 2:6.1.7.3+dfsg-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for rails.
CVE-2024-26144[0]:
| Rails is a web-application framework. Starting with version 5.2.0,
| there is a possible sensitive session information leak in Active
| Storage. By default, Active Storage sends a Set-Cookie header along
| with the user's session cookie when serving blobs. It also sets
| Cache-Control to public. Certain proxies may cache the Set-Cookie,
| leading to an information leak. The vulnerability is fixed in
| 7.0.8.1 and 6.1.7.7.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.