Security update for rubygem-actionpack-5_1 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1344-1 Final 1 1 2019-05-08T07:43:33Z current 2019-05-08T07:43:33Z 2019-05-08T07:43:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-actionpack-5_1 This update for rubygem-actionpack-5_1 fixes the following issues: Security issues fixed: - CVE-2019-5418: Fixed a file content disclosure vulnerability in Action View which could be exploited via specially crafted accept headers in combination with calls to render file (bsc#1129272). - CVE-2019-5419: Fixed a resource exhaustion issue in Action View which could make the server unable to process requests (bsc#1129271). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1344 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FTKJM3ODEL4P7JHON6OYNBT5XQLAHCBS/#FTKJM3ODEL4P7JHON6OYNBT5XQLAHCBS E-Mail link for openSUSE-SU-2019:1344-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1129271 SUSE Bug 1129271 https://bugzilla.suse.com/1129272 SUSE Bug 1129272 https://www.suse.com/security/cve/CVE-2019-5418/ SUSE CVE CVE-2019-5418 page https://www.suse.com/security/cve/CVE-2019-5419/ SUSE CVE CVE-2019-5419 page openSUSE Leap 15.0 ruby2.5-rubygem-actionpack-5_1-5.1.4-lp150.2.3.1 ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp150.2.3.1 ruby2.5-rubygem-actionpack-5_1-5.1.4-lp150.2.3.1 as a component of openSUSE Leap 15.0 ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp150.2.3.1 as a component of openSUSE Leap 15.0 There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed. CVE-2019-5418 openSUSE Leap 15.0:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp150.2.3.1 openSUSE Leap 15.0:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp150.2.3.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FTKJM3ODEL4P7JHON6OYNBT5XQLAHCBS/#FTKJM3ODEL4P7JHON6OYNBT5XQLAHCBS https://www.suse.com/security/cve/CVE-2019-5418.html CVE-2019-5418 https://bugzilla.suse.com/1129272 SUSE Bug 1129272 There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive. CVE-2019-5419 openSUSE Leap 15.0:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp150.2.3.1 openSUSE Leap 15.0:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp150.2.3.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FTKJM3ODEL4P7JHON6OYNBT5XQLAHCBS/#FTKJM3ODEL4P7JHON6OYNBT5XQLAHCBS https://www.suse.com/security/cve/CVE-2019-5419.html CVE-2019-5419 https://bugzilla.suse.com/1129271 SUSE Bug 1129271 https://bugzilla.suse.com/1203810 SUSE Bug 1203810