CVE-2014-0082

Name	CVE-2014-0082
Description	actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2929-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
rails (PTS)	bullseye (security), bullseye	2:6.0.3.7+dfsg-2+deb11u2	fixed
	bookworm	2:6.1.7.3+dfsg-2~deb12u1	fixed
	bookworm (security)	2:6.1.7.10+dfsg-1~deb12u1	fixed
	sid, trixie	2:7.2.2.1+dfsg-7	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
rails	source	squeeze	(unfixed)	end-of-life
rails	source	(unstable)	2.3.14.1
rails-3.2	source	(unstable)	3.2.17-1
rails-4.0	source	(unstable)	(not affected)
ruby-actionpack-2.3	source	wheezy	(unfixed)	end-of-life
ruby-actionpack-2.3	source	(unstable)	(unfixed)
ruby-actionpack-3.2	source	wheezy	3.2.6-6+deb7u2		DSA-2929-1
ruby-actionpack-3.2	source	(unstable)	(unfixed)

Notes

- rails-4.0 <not-affected> (only 3.2.x and earlier)
[squeeze] - rails <end-of-life> (Unsupported in squeeze-lts)
Starting with 2.3.14.1 rails is a transition package