[ubuntu/lucid-security] rails 2.2.3-2ubuntu0.1 (Accepted)
Felix Geyer
debfx-pkg at fobos.de
Wed Oct 12 18:03:22 UTC 2011
rails (2.2.3-2ubuntu0.1) lucid-security; urgency=low
* SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
the mail_to helper
- backported fix from upstream:
actionpack/test/template/url_helper_test.rb
actionpack/lib/action_view/helpers/url_helper.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
- CVE-2011-0446
- LP: #870846
* SECURITY UPDATE: rails does not properly validate HTTP requests that
contain an X-Requested-With header
- patch from upstream:
actionpack/test/controller/request_forgery_protection_test.rb
actionpack/lib/action_view/helpers.rb
actionpack/lib/action_view/helpers/csrf_helper.rb
actionpack/lib/action_controller/request_forgery_protection.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
- CVE-2011-0447
* SECURITY UPDATE: multiple SQL injection vulnerabilities in the
quote_table_name method in the ActiveRecord adapters
- patch from upstream:
activerecord/test/cases/base_test.rb
activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
- CVE-2011-2930
* SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
strip_tags helper
- patch from upstream:
actionpack/test/controller/html-scanner/sanitizer_test.rb
actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
- CVE-2011-2931
* SECURITY UPDATE: cross-site scripting vulnerability which allows remote
attackers to inject arbitrary web script or HTML via a malformed Unicode string
- backported fix from upstream:
actionpack/lib/action_view/template_handlers/erb.rb
actionpack/test/template/erb_util_test.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
- CVE-2011-2932
* SECURITY UPDATE: response splitting vulnerability
- patch from upstream:
actionpack/test/controller/content_type_test.rb
actionpack/lib/action_controller/response.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
- CVE-2011-3186
Date: Sat, 08 Oct 2011 17:26:54 +0200
Changed-By: Felix Geyer <debfx-pkg at fobos.de>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/lucid/+source/rails/2.2.3-2ubuntu0.1
-------------- next part --------------
Format: 1.8
Date: Sat, 08 Oct 2011 17:26:54 +0200
Source: rails
Binary: rails
Architecture: source
Version: 2.2.3-2ubuntu0.1
Distribution: lucid-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Felix Geyer <debfx-pkg at fobos.de>
Description:
rails - MVC ruby based framework geared for web application development
Launchpad-Bugs-Fixed: 870846
Changes:
rails (2.2.3-2ubuntu0.1) lucid-security; urgency=low
.
* SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
the mail_to helper
- backported fix from upstream:
actionpack/test/template/url_helper_test.rb
actionpack/lib/action_view/helpers/url_helper.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
- CVE-2011-0446
- LP: #870846
* SECURITY UPDATE: rails does not properly validate HTTP requests that
contain an X-Requested-With header
- patch from upstream:
actionpack/test/controller/request_forgery_protection_test.rb
actionpack/lib/action_view/helpers.rb
actionpack/lib/action_view/helpers/csrf_helper.rb
actionpack/lib/action_controller/request_forgery_protection.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
- CVE-2011-0447
* SECURITY UPDATE: multiple SQL injection vulnerabilities in the
quote_table_name method in the ActiveRecord adapters
- patch from upstream:
activerecord/test/cases/base_test.rb
activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
- CVE-2011-2930
* SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
strip_tags helper
- patch from upstream:
actionpack/test/controller/html-scanner/sanitizer_test.rb
actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
- CVE-2011-2931
* SECURITY UPDATE: cross-site scripting vulnerability which allows remote
attackers to inject arbitrary web script or HTML via a malformed Unicode string
- backported fix from upstream:
actionpack/lib/action_view/template_handlers/erb.rb
actionpack/test/template/erb_util_test.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
- CVE-2011-2932
* SECURITY UPDATE: response splitting vulnerability
- patch from upstream:
actionpack/test/controller/content_type_test.rb
actionpack/lib/action_controller/response.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
- CVE-2011-3186
Checksums-Sha1:
b6d04bdfee569314233e56b3b103e2b53b2028f4 2008 rails_2.2.3-2ubuntu0.1.dsc
92eb57c5aa5f416f3d29a0e3a34182659e5b7b64 20021 rails_2.2.3-2ubuntu0.1.diff.gz
Checksums-Sha256:
4e66f08eb75ee1cee2d7845c6a168afdb4974f514e830c13bc3623aed5048f1b 2008 rails_2.2.3-2ubuntu0.1.dsc
64cdae9065c3fc19251c6ee8bd860bbed2a56d64a8c9a373f9e057db1a386a90 20021 rails_2.2.3-2ubuntu0.1.diff.gz
Files:
0a3d4cf75777feae99f7f583a582dba6 2008 ruby optional rails_2.2.3-2ubuntu0.1.dsc
5130ae685d62df189f7834ead8775381 20021 ruby optional rails_2.2.3-2ubuntu0.1.diff.gz
Original-Maintainer: Adam Majer <adamm at zombino.com>
More information about the Lucid-changes
mailing list