[ubuntu/maverick-security] rails 2.3.5-1.1ubuntu0.1 (Accepted)

Felix Geyer debfx-pkg at fobos.de
Wed Oct 12 20:03:28 UTC 2011 

rails (2.3.5-1.1ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
    the mail_to helper
    - Add 0001-Be-sure-to-javascript_escape-the-email-address-to-pr.patch
      from Debian and fix Debian bug #629067 by replacing .html_safe with
      html_escape()
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
    - CVE-2011-0446
    - LP: #870846
  * SECURITY UPDATE: rails does not properly validate HTTP requests that
    contain an X-Requested-With header
    - Add 0002-Change-the-CSRF-whitelisting-to-only-apply-to-get-re.patch
      from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
    - CVE-2011-0447
  * SECURITY UPDATE: multiple SQL injection vulnerabilities in the
    quote_table_name method in the ActiveRecord adapters
    - Add CVE-2011-2930.patch from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
    - CVE-2011-2930
  * SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
    strip_tags helper
    - Add CVE-2011-2931.patch from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
    - CVE-2011-2931
  * SECURITY UPDATE: cross-site scripting vulnerability which allows remote
    attackers to inject arbitrary web script or HTML via a malformed Unicode string
    - Add CVE-2011-2932.patch, backported from upstream
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
    - CVE-2011-2932
  * SECURITY UPDATE: response splitting vulnerability
    - Add CVE-2011-3186.patch from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
    - CVE-2011-3186

Date: Wed, 12 Oct 2011 18:48:13 +0200
Changed-By: Felix Geyer <debfx-pkg at fobos.de>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/maverick/+source/rails/2.3.5-1.1ubuntu0.1
-------------- next part --------------
Format: 1.8
Date: Wed, 12 Oct 2011 18:48:13 +0200
Source: rails
Binary: rails rails-ruby1.8 rails-doc libactiverecord-ruby libactiverecord-ruby1.8 libactiverecord-ruby1.9.1 libactivesupport-ruby libactivesupport-ruby1.8 libactivesupport-ruby1.9.1 libactionpack-ruby libactionpack-ruby1.8 libactionmailer-ruby libactionmailer-ruby1.8 libactiveresource-ruby libactiveresource-ruby1.8
Architecture: source
Version: 2.3.5-1.1ubuntu0.1
Distribution: maverick-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Felix Geyer <debfx-pkg at fobos.de>
Description: 
 libactionmailer-ruby - Framework for generation of customized email messages
 libactionmailer-ruby1.8 - Framework for generation of customized email messages
 libactionpack-ruby - Controller and View framework used by Rails
 libactionpack-ruby1.8 - Controller and View framework used by Rails
 libactiverecord-ruby - ORM database interface for ruby
 libactiverecord-ruby1.8 - ORM database interface for ruby
 libactiverecord-ruby1.9.1 - ORM database interface for ruby
 libactiveresource-ruby - Connects objects and REST web services
 libactiveresource-ruby1.8 - Connects objects and REST web services
 libactivesupport-ruby - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.8 - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.9.1 - utility classes and extensions (Ruby 1.8)
 rails      - MVC ruby based framework geared for web application development
 rails-doc  - Documentation for rails, a MVC ruby based framework
 rails-ruby1.8 - MVC ruby based framework geared for web application development
Launchpad-Bugs-Fixed: 870846
Changes: 
 rails (2.3.5-1.1ubuntu0.1) maverick-security; urgency=low
 .
   * SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
     the mail_to helper
     - Add 0001-Be-sure-to-javascript_escape-the-email-address-to-pr.patch
       from Debian and fix Debian bug #629067 by replacing .html_safe with
       html_escape()
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
     - CVE-2011-0446
     - LP: #870846
   * SECURITY UPDATE: rails does not properly validate HTTP requests that
     contain an X-Requested-With header
     - Add 0002-Change-the-CSRF-whitelisting-to-only-apply-to-get-re.patch
       from Debian
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
     - CVE-2011-0447
   * SECURITY UPDATE: multiple SQL injection vulnerabilities in the
     quote_table_name method in the ActiveRecord adapters
     - Add CVE-2011-2930.patch from Debian
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
     - CVE-2011-2930
   * SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
     strip_tags helper
     - Add CVE-2011-2931.patch from Debian
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
     - CVE-2011-2931
   * SECURITY UPDATE: cross-site scripting vulnerability which allows remote
     attackers to inject arbitrary web script or HTML via a malformed Unicode string
     - Add CVE-2011-2932.patch, backported from upstream
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
     - CVE-2011-2932
   * SECURITY UPDATE: response splitting vulnerability
     - Add CVE-2011-3186.patch from Debian
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
     - CVE-2011-3186
Checksums-Sha1: 
 df45499fc6186a59ce480591c61e760cdcf0cc17 2410 rails_2.3.5-1.1ubuntu0.1.dsc
 317789e5990ec542c0af5990aeade0c0c439ec16 23726 rails_2.3.5-1.1ubuntu0.1.debian.tar.gz
Checksums-Sha256: 
 b1607aa1585d9b3c876bf9662e15260a293729a7af7e13d311464175fe6bfcf9 2410 rails_2.3.5-1.1ubuntu0.1.dsc
 4251a9960b0ac6e6f8135eabc731fa0ff896b993063f99238cc54c8173a14d41 23726 rails_2.3.5-1.1ubuntu0.1.debian.tar.gz
Files: 
 b94ee65d1a7d0c438934c0b37f4f6cd3 2410 ruby optional rails_2.3.5-1.1ubuntu0.1.dsc
 644f0c960fac5223c9d0e508606fce26 23726 ruby optional rails_2.3.5-1.1ubuntu0.1.debian.tar.gz
Original-Maintainer: Adam Majer <adamm at zombino.com>

More information about the Maverick-changes mailing list