#ruby

Ubuntu Security Notice 6837-1 - It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Rack incorrectly parsed certain media types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service.

Red Hat Security Advisory 2024-3838-03 - An update for ruby is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP response splitting and denial of service vulnerabilities.

Red Hat Security Advisory 2024-3671-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-3670-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-3668-03 - An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 9.

# Permissions-Policy is Only Served on HTML Content-Type The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This has been assigned the CVE identifier CVE-2024-28103. Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4 Impact ------ Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- N/A Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset. * 6-1-include...

Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This has been assigned the CVE identifier CVE-2024-32464. Versions Affected: >= 7.1.0 Not affected: < 7.1.0 Fixed Versions: 7.1.3.4 Impact ------ This could lead to a potential cross site scripting issue within the Trix editor. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- N/A Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset. * action_text_content_attachment_xss_7_1_stable.patch - Patch for 7.1 series Credits ------- Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for reporting this!

Red Hat Security Advisory 2024-3546-03 - An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 8.

### Impact Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user. For example: * A public web application allows users to create entities with arbitrary names. * Active Admin is used to administrate these entities through a private backend. * The form to edit these entities in the private backend has the following shape (note the dynamic `name` value dependent on an attribute of the `resource`): ```ruby form do |f| f.inputs name: resource.name do f.input :name f.input :description end f.actions end ``` Then a malicious user could create an entity with a payload that would get executed in the active admin administrator's browser. Both `form` blocks with an implicit or explicit name (i.e., both `form resource.name` or `form name: resource.name` would suffer from the problem), where the value of the name can be arbitrarily set by non admin users. ### ...