Accepted rails 2:6.0.3.7+dfsg-2+deb11u3 (source) into oldoldstable-security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 22 Nov 2025 18:06:58 +0100
Source: rails
Architecture: source
Version: 2:6.0.3.7+dfsg-2+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1030050 1051057 1051058 1085376 1089755
Changes:
 rails (2:6.0.3.7+dfsg-2+deb11u3) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * Fix  CVE-2022-44566 (Closes: #1030050)
     Given a value outside the range for a 64bit signed integer type
     PostgreSQL will treat the column type as numeric. Comparing
     integer values against numeric values can result in a slow
     sequential scan.
     This behavior is configurable via
     ActiveRecord::Base.raise_int_wider_than_64bit which
     defaults to true.
   * Fix CVE-2023-28362 (Closes: #1051058)
     The redirect_to method in Rails allows provided values
     to contain characters which are not legal in an HTTP header
     value. This results in the potential for downstream services
     which enforce RFC compliance on HTTP response headers to remove
     the assigned Location header.
   * Fix CVE-2023-38037 (Closes: #1051057)
     ActiveSupport::EncryptedFile writes contents that will be
     encrypted to a temporary file. The temporary file's permissions
     are defaulted to the user's current `umask` settings, meaning
     that it's possible for other users on the same system to read
     the contents of the temporary file. Attackers that have access
     to the file system could possibly read the contents of this
     temporary file while a user is editing it
   * Fix CVE-2024-41128 (Closes: #1085376)
     Action Pack is a framework for handling and responding
     to web requests. There is a possible ReDoS vulnerability in
     the query parameter filtering routines of Action Dispatch.
     Carefully crafted query parameters can cause query parameter
     filtering to take an unexpected amount of time, possibly
     resulting in a DoS vulnerability.
   * Fix CVE-2024-47887 (Closes: #1085376)
     Action Pack is a framework for handling and responding
     to web requests. There is a possible ReDoS vulnerability in
     Action Controller's HTTP Token authentication.
     For applications using HTTP Token authentication via
     `authenticate_or_request_with_http_token` or similar,
     a carefully crafted header may cause header parsing
     to take an unexpected amount of time, possibly resulting
     in a DoS vulnerability
   * Fix CVE-2024-47888 (Closes: #1085376)
     Action Text brings rich text content and editing to Rails.
     There is a possible ReDoS vulnerability in the
     `plain_text_for_blockquote_node helper` in Action Text.
     Carefully crafted text can cause the `plain_text_for_blockquote_node`
     helper to take an unexpected amount of time,
     possibly resulting in a DoS vulnerability.
   * Fix CVE-2024-47889 (Closes: #1085376)
     Action Mailer is a framework for designing email service layers.
     There is a possible ReDoS vulnerability in the block_format helper
     in Action Mailer. Carefully crafted text can cause the block_format
     helper to take an unexpected amount of time, possibly
     resulting in a DoS vulnerability.
   * Fix CVE-2024-54133 (Closes: #1089755)
     Action Pack is a framework for handling and responding
     to web requests. There is a possible Cross Site Scripting (XSS)
     vulnerability in the `content_security_policy` helper.
     Applications which set Content-Security-Policy (CSP) headers dynamically
     from untrusted user input may be vulnerable to carefully crafted
     inputs being able to inject new directives into the CSP.
     This could lead to a bypass of the CSP and its protection
     against XSS and other attacks
Checksums-Sha1:
 fca762870acd3bdd5d9042b7013debda14486500 4837 rails_6.0.3.7+dfsg-2+deb11u3.dsc
 c93bf6d051c280503aea30877f686f20c5118483 13967752 rails_6.0.3.7+dfsg.orig.tar.xz
 e931a914da3ee97e7e5527ae78fb9e5cf2488b0d 129864 rails_6.0.3.7+dfsg-2+deb11u3.debian.tar.xz
 ee0bec1596315f43c645ea57d48398d1420f61a0 16972 rails_6.0.3.7+dfsg-2+deb11u3_source.buildinfo
Checksums-Sha256:
 6556c11d8366e04dc1a3ea97fb200bb12d14896fc21073ed434bb16f7588f494 4837 rails_6.0.3.7+dfsg-2+deb11u3.dsc
 f1adfb152227b0b840a85f3c326db91191149021adb2c5afbed99c6d32a94582 13967752 rails_6.0.3.7+dfsg.orig.tar.xz
 bb2327442b835a4125b65f7473c3aab5e326c5f65734f0c83ef29de9a99c1fba 129864 rails_6.0.3.7+dfsg-2+deb11u3.debian.tar.xz
 f2ead6195b4271b1b1ef25e5623870dc3ec643b95561986fc8a1ff54ab7c0d06 16972 rails_6.0.3.7+dfsg-2+deb11u3_source.buildinfo
Files:
 a2c49072dee6ddf03e83a25b5f2a8ee7 4837 ruby optional rails_6.0.3.7+dfsg-2+deb11u3.dsc
 9a2058e157560ede7b3a206d6f521d84 13967752 ruby optional rails_6.0.3.7+dfsg.orig.tar.xz
 18027c45b14894388e369c3561f08a45 129864 ruby optional rails_6.0.3.7+dfsg-2+deb11u3.debian.tar.xz
 eada91df5c830af95a026db0119afb9b 16972 ruby optional rails_6.0.3.7+dfsg-2+deb11u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkl7GoACgkQADoaLapB
CF+KnBAAgDHPSnC08wKD3mIrZSZMW4RbeEAzPMlECIZAQaKdGZVwvrNHTzPw6S+4
ajscsxVIVdNbTQTq7XFYjbRV3UJLjOWzJFdniCsRMUQECMEEjyK6dQVaq9irl37B
AttpGgmtmQq2Rro4X8Zjuc3f9JaqRVDKVRXsuyN9fUZllLGSVDP1k3s0WIWtFDPX
/+L6oUDOvUAwAuVk97ptAeH5wm0A85/AscxhfDeGk/YRN/9l6vysQh7Qrg/tjSPi
+CC1FIt4LgBCqUZnr/pJGKeGKQN0l7+KQGCEkPxMwA8AOjmQV1wQLwU0Ykrzcdbg
ATRa0yHMm1kfZpduhr1789SCnOloCZYeAwbk8bDTkRIPrqXNdV+RU/2QXpKhqkrs
Yi2SawC28vshXxBX84x9Nw7eT79JmPe7bRVYmjM1K9TuNKQPetVRu3lkqgqirJwn
ajln/V0Hw57HofEeW8z7iIHtIyKXl3KIjUWMIZGzL8uJ0ciCJL5GAmBDd+t6SnmG
zVX+EEAypnPlNojpV7B2gcGCms1bSVUAYMwZDB4LS57oXyyaIuUoaALHc68Lj4Gx
5lBXAqMNj+xuNRqmnGq2g5VJf7ZOGIzsea2qKirYubD1WN2imSugSe62JYIKy0I8
myLXBXVmWXfPi+jHlWNYLCKfhj3vRa1ZfzpCGNG2Hac5CwHKZg4=
=TnBc
-----END PGP SIGNATURE-----