Security Information / 2018 / Security Information -- DSA-4242-1 ruby-sprockets

Debian Security Advisory

DSA-4242-1 ruby-sprockets -- security update

Date Reported:

09 Jul 2018

Affected Packages:

ruby-sprockets

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 901913.
In Mitre's CVE dictionary: CVE-2018-3760.

More information:

Orange Tsai discovered a path traversal flaw in ruby-sprockets, a Rack-based asset packaging system. A remote attacker can take advantage of this flaw to read arbitrary files outside an application's root directory via specially crafted requests, when the Sprockets server is used in production.

For the stable distribution (stretch), this problem has been fixed in version 3.7.0-1+deb9u1.

We recommend that you upgrade your ruby-sprockets packages.

For the detailed security status of ruby-sprockets please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-sprockets