Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Debian 11: Rails Critical Security Update DLA-4383-1 CVE-2022-44566

debian lts
Calendar Grey November 25, 2025
Dist Debian Esm H88
Debian LTS updates for Rails addressing multiple critical weaknesses, including DoS and XSS risks. Upgrade recommended.
rails a popular server side application framework was affected by multiple vulnerabilities

Summary

CVE-2022-44566

Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which
defaults to true.

CVE-2023-28362

The redirect_to method in Rails allows provided values
to contain characters which are not legal in an HTTP header
value. This results in the potential for downstream services
which enforce RFC compliance on HTTP response headers to remove
the assigned Location header.

CVE-2023-38037

ActiveSupport::EncryptedFile writes contents that will be
encrypted to a temporary file. The temporary file's permissions
are defaulted to the user's current `umask` settings, meaning
that it's possible for other users on the same system to read
the contents of the temporary file. Attackers that have access

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: rails
Version: 2:6.0.3.7+dfsg-2+deb11u3
CVE ID: CVE-2022-44566 CVE-2023-28362 CVE-2023-38037 CVE-2024-41128
Debian Bug: 1030050 1051057 1051058 1085376 1089755

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here