rails - Debian Package Tracker

general

source: rails (main)
version: 2:7.2.2.1+dfsg-7
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Sruthi Chandran [DMD] – Utkarsh Gupta [DMD]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2:6.0.3.7+dfsg-2+deb11u2
o-o-sec: 2:6.0.3.7+dfsg-2+deb11u2
oldstable: 2:6.1.7.10+dfsg-1~deb12u1
old-sec: 2:6.1.7.10+dfsg-1~deb12u1
stable: 2:7.2.2.1+dfsg-7
testing: 2:7.2.2.1+dfsg-7
unstable: 2:7.2.2.1+dfsg-7

versioned links

2:6.0.3.7+dfsg-2+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:6.1.7.10+dfsg-1~deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:7.2.2.1+dfsg-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

rails (1 bugs: 0, 0, 1, 0)
ruby-actioncable
ruby-actionmailbox
ruby-actionmailer
ruby-actionpack
ruby-actiontext
ruby-actionview
ruby-activejob
ruby-activemodel
ruby-activerecord
ruby-activestorage
ruby-activesupport
ruby-rails (1 bugs: 0, 1, 0, 0)
ruby-railties (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 7.2.2.2 high

A new upstream version 7.2.2.2 is available, you should consider packaging it.

Created: 2025-08-16 Last update: 2025-09-14 07:01

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-55193: Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

Created: 2025-08-14 Last update: 2025-08-20 19:29

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-55193: Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

Created: 2025-08-14 Last update: 2025-08-20 19:29

11 security issues in bullseye high

There are 11 open security issues in bullseye.

6 important issues:

CVE-2024-41128: Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
CVE-2024-47887: Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
CVE-2024-47888: Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the `plain_text_for_blockquote_node helper` in Action Text. Carefully crafted text can cause the `plain_text_for_blockquote_node` helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
CVE-2024-47889: Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.
CVE-2024-54133: Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.
CVE-2025-55193: Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

5 issues postponed or untriaged:

CVE-2022-32224: (needs triaging) A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.
CVE-2022-44566: (needs triaging) A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.
CVE-2023-28362: (needs triaging) The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.
CVE-2023-38037: (needs triaging) ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current `umask` settings, meaning that it's possible for other users on the same system to read the contents of the temporary file. Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it. All users running an affected release should either upgrade or use one of the workarounds immediately.
CVE-2024-26144: (needs triaging) Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

Created: 2024-10-18 Last update: 2025-08-20 19:29

lintian reports 1 error and 10 warnings high

Lintian reports 1 error and 10 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-02-09 Last update: 2025-03-08 06:33

10 security issues in buster high

There are 10 open security issues in buster.

10 important issues:

CVE-2022-32224: A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.
CVE-2022-44566: A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.
CVE-2023-22792: A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
CVE-2023-22795: A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
CVE-2023-22796: A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
CVE-2023-23913:
CVE-2023-28120:
CVE-2023-28362:
CVE-2023-38037:
CVE-2024-26144: Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

Created: 2022-09-14 Last update: 2024-06-29 13:15

Depends on packages which need a new maintainer normal

The packages that rails depends on which need a new maintainer are:

ruby-websocket-driver (#1101283)
- Depends: ruby-websocket-driver
- Build-Depends: ruby-websocket-driver

Created: 2025-03-25 Last update: 2025-09-14 13:00

3 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 576c40d70591b66e4d6fc1372fcfd4bdd1669757
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Sat Sep 6 05:17:21 2025 +0000

    debian/salsa-ci.yml: use team-specific include

commit 8cb0fd59f7dd628b4d300c4ef1b12bab8288f266
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Sat Sep 6 05:17:17 2025 +0000

    debian/.gitattributes: remove

commit 4d8c12722408f0f0b060e62e2726b01c9de6ff27
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Mon Aug 25 16:40:18 2025 +0000

    debian/gbp.conf: Update for DEP-14

Created: 2025-08-25 Last update: 2025-09-11 07:36

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2025-55193: (needs triaging) Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-08-14 Last update: 2025-08-20 19:29

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2025-55193: (needs triaging) Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-08-14 Last update: 2025-08-20 19:29

debian/patches: 4 patches to forward upstream low

Among the 11 debian patches available in version 2:7.2.2.1+dfsg-7 of the package, we noticed the following issues:

4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-04-22 12:32

news

[rss feed]

[2025-05-02] rails 2:7.2.2.1+dfsg-7 MIGRATED to testing (Debian testing watch)
[2025-04-22] Accepted rails 2:7.2.2.1+dfsg-7 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-21] Accepted rails 2:7.2.2.1+dfsg-6 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-20] Accepted rails 2:7.2.2.1+dfsg-5 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-19] Accepted rails 2:7.2.2.1+dfsg-4 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-19] Accepted rails 2:7.2.2.1+dfsg-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-03-19] Accepted rails 2:6.1.7.10+dfsg-1~deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-03-17] Accepted rails 2:6.1.7.10+dfsg-1~deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-03-13] rails 2:7.2.2.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-03-07] Accepted rails 2:7.2.2.1+dfsg-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-03-05] Accepted rails 2:7.2.2.1+dfsg-1 (source) into unstable (Utkarsh Gupta)
[2025-02-12] rails 2:6.1.7.3+dfsg-13 MIGRATED to testing (Debian testing watch)
[2025-02-11] Accepted rails 2:7.2.2.1+dfsg-1~exp6 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-02-10] Accepted rails 2:6.1.7.3+dfsg-13 (source) into unstable (Lucas Nussbaum)
[2025-02-10] Accepted rails 2:6.1.7.3+dfsg-12 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-02-10] Accepted rails 2:6.1.7.3+dfsg-11 (source) into unstable (Lucas Nussbaum)
[2025-02-09] Accepted rails 2:6.1.7.3+dfsg-10 (source) into unstable (Lucas Nussbaum)
[2025-01-31] Accepted rails 2:6.1.7.3+dfsg-9 (source) into unstable (Sruthi Chandran)
[2025-01-30] Accepted rails 2:7.2.2.1+dfsg-1~exp4 (source) into experimental (Sruthi Chandran)
[2025-01-30] Accepted rails 2:6.1.7.3+dfsg-8 (source) into unstable (Utkarsh Gupta)
[2025-01-29] Accepted rails 2:7.2.2.1+dfsg-1~exp3 (source) into experimental (Sruthi Chandran)
[2025-01-29] Accepted rails 2:7.2.2.1+dfsg-1~exp2 (source) into experimental (Sruthi Chandran)
[2025-01-28] Accepted rails 2:7.2.2.1+dfsg-1~exp1 (source) into experimental (Cédric Boutillier)
[2025-01-28] Accepted rails 2:6.1.7.3+dfsg-7 (source) into unstable (Cédric Boutillier)
[2025-01-26] Accepted rails 2:6.1.7.3+dfsg-7~exp1 (source) into experimental (Cédric Boutillier)
[2025-01-18] rails 2:6.1.7.3+dfsg-6 MIGRATED to testing (Debian testing watch)
[2025-01-15] Accepted rails 2:6.1.7.3+dfsg-6 (source) into unstable (Cédric Boutillier)
[2025-01-15] Accepted rails 2:6.1.7.3+dfsg-5 (source) into unstable (Cédric Boutillier)
[2024-09-30] rails 2:6.1.7.3+dfsg-4 MIGRATED to testing (Debian testing watch)
[2024-09-23] Accepted rails 2:6.1.7.3+dfsg-4 (source) into unstable (Cédric Boutillier)

bugs [bug history graph]

all: 6
RC: 0
I&N: 4
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (1, 10)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2:7.2.2.1+dfsg-7
6 bugs