SB2016021012 - Fedora 22 update for rubygem-activesupport
Published: February 10, 2016 Updated: April 24, 2025
Security Bulletin ID
SB2016021012
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Timing attack (CVE-ID: CVE-2015-7576)
The vulnerability allows a remote attacker to bypass authentication.
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.2) Security restrictions bypass (CVE-ID: CVE-2016-0753)
The vulnerability allows a remote attacker to bypass certain security restrictions.
Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.
Remediation
Install update from vendor's website.