| Name | CVE-2016-0751 |
| Description | actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-604-1, DSA-3464-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| rails (PTS) | bullseye (security), bullseye | 2:6.0.3.7+dfsg-2+deb11u2 | fixed |
| bookworm | 2:6.1.7.3+dfsg-2~deb12u1 | fixed | |
| sid, trixie | 2:6.1.7.3+dfsg-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| rails | source | squeeze | (unfixed) | end-of-life | ||
| rails | source | wheezy | (not affected) | |||
| rails | source | jessie | 2:4.1.8-1+deb8u1 | DSA-3464-1 | ||
| rails | source | (unstable) | 2:4.2.5.1-1 | |||
| ruby-actionpack-2.3 | source | wheezy | (unfixed) | end-of-life | ||
| ruby-actionpack-2.3 | source | (unstable) | (unfixed) | |||
| ruby-actionpack-3.2 | source | wheezy | 3.2.6-6+deb7u3 | DLA-604-1 | ||
| ruby-actionpack-3.2 | source | (unstable) | (unfixed) |
[wheezy] - rails <not-affected> (Vulnerable code not present, is only a transitional package)
[squeeze] - rails <end-of-life> (Not supported in Squeeze LTS)