Bugzilla – Bug 1225997
VUL-0: CVE-2024-28103: rmt-server: actionpack: Permissions-Policy is only served on responses with an HTML related Content-Type
Last modified: 2024-07-08 11:01:03 UTC
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-28103 https://www.cve.org/CVERecord?id=CVE-2024-28103 https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523 https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7 Patch: https://discuss.rubyonrails.org/t/cve-2024-28103-permissions-policy-is-only-served-on-html-content-type/85948
This is going to be fixed in the upcoming RMT 2.17 release.
SUSE-SU-2024:1974-1: An update that solves one vulnerability, contains two features and has one security fix can now be installed. Category: security (moderate) Bug References: 1203171, 1225997 CVE References: CVE-2024-28103 Jira References: PED-7982, PED-8018 Maintenance Incident: [SUSE:Maintenance:34190](https://smelt.suse.de/incident/34190/) Sources used: openSUSE Leap 15.5 (src): rmt-server-2.17-150500.3.16.1 openSUSE Leap 15.6 (src): rmt-server-2.17-150500.3.16.1 Public Cloud Module 15-SP5 (src): rmt-server-2.17-150500.3.16.1 Public Cloud Module 15-SP6 (src): rmt-server-2.17-150500.3.16.1 Server Applications Module 15-SP5 (src): rmt-server-2.17-150500.3.16.1 Server Applications Module 15-SP6 (src): rmt-server-2.17-150500.3.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1973-1: An update that solves one vulnerability, contains two features and has one security fix can now be installed. Category: security (moderate) Bug References: 1203171, 1225997 CVE References: CVE-2024-28103 Jira References: PED-7982, PED-8018 Maintenance Incident: [SUSE:Maintenance:34187](https://smelt.suse.de/incident/34187/) Sources used: SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): rmt-server-2.17-150200.3.45.1 Public Cloud Module 15-SP2 (src): rmt-server-2.17-150200.3.45.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): rmt-server-2.17-150200.3.45.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): rmt-server-2.17-150200.3.45.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1986-1: An update that solves one vulnerability, contains two features and has one security fix can now be installed. Category: security (moderate) Bug References: 1203171, 1225997 CVE References: CVE-2024-28103 Jira References: PED-7982, PED-8018 Maintenance Incident: [SUSE:Maintenance:34189](https://smelt.suse.de/incident/34189/) Sources used: openSUSE Leap 15.4 (src): rmt-server-2.17-150400.3.25.1 Public Cloud Module 15-SP4 (src): rmt-server-2.17-150400.3.25.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): rmt-server-2.17-150400.3.25.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): rmt-server-2.17-150400.3.25.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): rmt-server-2.17-150400.3.25.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): rmt-server-2.17-150400.3.25.1 SUSE Manager Proxy 4.3 (src): rmt-server-2.17-150400.3.25.1 SUSE Manager Retail Branch Server 4.3 (src): rmt-server-2.17-150400.3.25.1 SUSE Manager Server 4.3 (src): rmt-server-2.17-150400.3.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2140-1: An update that solves one vulnerability, contains two features and has one security fix can now be installed. Category: security (moderate) Bug References: 1203171, 1225997 CVE References: CVE-2024-28103 Jira References: PED-7982, PED-8018 Maintenance Incident: [SUSE:Maintenance:34188](https://smelt.suse.de/incident/34188/) Sources used: openSUSE Leap 15.3 (src): rmt-server-2.17-150300.3.37.1 Public Cloud Module 15-SP3 (src): rmt-server-2.17-150300.3.37.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): rmt-server-2.17-150300.3.37.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): rmt-server-2.17-150300.3.37.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): rmt-server-2.17-150300.3.37.1 SUSE Enterprise Storage 7.1 (src): rmt-server-2.17-150300.3.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1225997) was mentioned in https://build.opensuse.org/request/show/1185392 Factory / rmt-server