Bug 1225997

Summary:	VUL-0: CVE-2024-28103: rmt-server: actionpack: Permissions-Policy is only served on responses with an HTML related Content-Type
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Andrea Mattiazzo <andrea.mattiazzo>
Component:	Incidents	Assignee:	SCC Bugs <scc-bugs>
Status:	NEW ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	andrea.mattiazzo, security-team, smash_bz, tschmidt
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/408721/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	1225996

Description Andrea Mattiazzo 2024-06-05 10:35:24 UTC

Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in  6.1.7.8, 7.0.8.2, and 7.1.3.3.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-28103
https://www.cve.org/CVERecord?id=CVE-2024-28103
https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7

Patch:
https://discuss.rubyonrails.org/t/cve-2024-28103-permissions-policy-is-only-served-on-html-content-type/85948

Comment 2 Thomas Schmidt 2024-06-05 11:48:05 UTC

This is going to be fixed in the upcoming RMT 2.17 release.

Comment 4 Maintenance Automation 2024-06-11 08:31:03 UTC

SUSE-SU-2024:1974-1: An update that solves one vulnerability, contains two features and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1203171, 1225997
CVE References: CVE-2024-28103
Jira References: PED-7982, PED-8018
Maintenance Incident: [SUSE:Maintenance:34190](https://smelt.suse.de/incident/34190/)
Sources used:
openSUSE Leap 15.5 (src):
 rmt-server-2.17-150500.3.16.1
openSUSE Leap 15.6 (src):
 rmt-server-2.17-150500.3.16.1
Public Cloud Module 15-SP5 (src):
 rmt-server-2.17-150500.3.16.1
Public Cloud Module 15-SP6 (src):
 rmt-server-2.17-150500.3.16.1
Server Applications Module 15-SP5 (src):
 rmt-server-2.17-150500.3.16.1
Server Applications Module 15-SP6 (src):
 rmt-server-2.17-150500.3.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Maintenance Automation 2024-06-11 08:31:07 UTC

SUSE-SU-2024:1973-1: An update that solves one vulnerability, contains two features and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1203171, 1225997
CVE References: CVE-2024-28103
Jira References: PED-7982, PED-8018
Maintenance Incident: [SUSE:Maintenance:34187](https://smelt.suse.de/incident/34187/)
Sources used:
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 rmt-server-2.17-150200.3.45.1
Public Cloud Module 15-SP2 (src):
 rmt-server-2.17-150200.3.45.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 rmt-server-2.17-150200.3.45.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 rmt-server-2.17-150200.3.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Maintenance Automation 2024-06-11 12:30:15 UTC

SUSE-SU-2024:1986-1: An update that solves one vulnerability, contains two features and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1203171, 1225997
CVE References: CVE-2024-28103
Jira References: PED-7982, PED-8018
Maintenance Incident: [SUSE:Maintenance:34189](https://smelt.suse.de/incident/34189/)
Sources used:
openSUSE Leap 15.4 (src):
 rmt-server-2.17-150400.3.25.1
Public Cloud Module 15-SP4 (src):
 rmt-server-2.17-150400.3.25.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 rmt-server-2.17-150400.3.25.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 rmt-server-2.17-150400.3.25.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 rmt-server-2.17-150400.3.25.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 rmt-server-2.17-150400.3.25.1
SUSE Manager Proxy 4.3 (src):
 rmt-server-2.17-150400.3.25.1
SUSE Manager Retail Branch Server 4.3 (src):
 rmt-server-2.17-150400.3.25.1
SUSE Manager Server 4.3 (src):
 rmt-server-2.17-150400.3.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Maintenance Automation 2024-06-21 12:30:24 UTC

SUSE-SU-2024:2140-1: An update that solves one vulnerability, contains two features and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1203171, 1225997
CVE References: CVE-2024-28103
Jira References: PED-7982, PED-8018
Maintenance Incident: [SUSE:Maintenance:34188](https://smelt.suse.de/incident/34188/)
Sources used:
openSUSE Leap 15.3 (src):
 rmt-server-2.17-150300.3.37.1
Public Cloud Module 15-SP3 (src):
 rmt-server-2.17-150300.3.37.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 rmt-server-2.17-150300.3.37.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 rmt-server-2.17-150300.3.37.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 rmt-server-2.17-150300.3.37.1
SUSE Enterprise Storage 7.1 (src):
 rmt-server-2.17-150300.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 OBSbugzilla Bot 2024-07-04 13:15:04 UTC

This is an autogenerated message for OBS integration:
This bug (1225997) was mentioned in
https://build.opensuse.org/request/show/1185392 Factory / rmt-server