[ubuntu/natty-security] rails 2.3.5-1.2ubuntu1.1 (Accepted)
Felix Geyer
debfx-pkg at fobos.de
Wed Oct 12 20:03:19 UTC 2011
rails (2.3.5-1.2ubuntu1.1) natty-security; urgency=low
* SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
the mail_to helper
- Add 0001-Be-sure-to-javascript_escape-the-email-address-to-pr.patch
from Debian and fix Debian bug #629067 by replacing .html_safe with
html_escape()
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
- CVE-2011-0446
- LP: #870846
* SECURITY UPDATE: rails does not properly validate HTTP requests that
contain an X-Requested-With header
- Add 0002-Change-the-CSRF-whitelisting-to-only-apply-to-get-re.patch
from Debian
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
- CVE-2011-0447
* SECURITY UPDATE: multiple SQL injection vulnerabilities in the
quote_table_name method in the ActiveRecord adapters
- Add CVE-2011-2930.patch from Debian
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
- CVE-2011-2930
* SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
strip_tags helper
- Add CVE-2011-2931.patch from Debian
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
- CVE-2011-2931
* SECURITY UPDATE: cross-site scripting vulnerability which allows remote
attackers to inject arbitrary web script or HTML via a malformed Unicode string
- Add CVE-2011-2932.patch, backported from upstream
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
- CVE-2011-2932
* SECURITY UPDATE: response splitting vulnerability
- Add CVE-2011-3186.patch from Debian
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
- CVE-2011-3186
Date: Wed, 12 Oct 2011 20:05:02 +0200
Changed-By: Felix Geyer <debfx-pkg at fobos.de>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/natty/+source/rails/2.3.5-1.2ubuntu1.1
-------------- next part --------------
Format: 1.8
Date: Wed, 12 Oct 2011 20:05:02 +0200
Source: rails
Binary: rails rails-ruby1.8 rails-doc libactiverecord-ruby libactiverecord-ruby1.8 libactiverecord-ruby1.9.1 libactivesupport-ruby libactivesupport-ruby1.8 libactivesupport-ruby1.9.1 libactionpack-ruby libactionpack-ruby1.8 libactionmailer-ruby libactionmailer-ruby1.8 libactiveresource-ruby libactiveresource-ruby1.8
Architecture: source
Version: 2.3.5-1.2ubuntu1.1
Distribution: natty-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Felix Geyer <debfx-pkg at fobos.de>
Description:
libactionmailer-ruby - Framework for generation of customized email messages
libactionmailer-ruby1.8 - Framework for generation of customized email messages
libactionpack-ruby - Controller and View framework used by Rails
libactionpack-ruby1.8 - Controller and View framework used by Rails
libactiverecord-ruby - ORM database interface for ruby
libactiverecord-ruby1.8 - ORM database interface for ruby
libactiverecord-ruby1.9.1 - ORM database interface for ruby
libactiveresource-ruby - Connects objects and REST web services
libactiveresource-ruby1.8 - Connects objects and REST web services
libactivesupport-ruby - utility classes and extensions (Ruby 1.8)
libactivesupport-ruby1.8 - utility classes and extensions (Ruby 1.8)
libactivesupport-ruby1.9.1 - utility classes and extensions (Ruby 1.8)
rails - MVC ruby based framework geared for web application development
rails-doc - Documentation for rails, a MVC ruby based framework
rails-ruby1.8 - MVC ruby based framework geared for web application development
Launchpad-Bugs-Fixed: 870846
Changes:
rails (2.3.5-1.2ubuntu1.1) natty-security; urgency=low
.
* SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
the mail_to helper
- Add 0001-Be-sure-to-javascript_escape-the-email-address-to-pr.patch
from Debian and fix Debian bug #629067 by replacing .html_safe with
html_escape()
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
- CVE-2011-0446
- LP: #870846
* SECURITY UPDATE: rails does not properly validate HTTP requests that
contain an X-Requested-With header
- Add 0002-Change-the-CSRF-whitelisting-to-only-apply-to-get-re.patch
from Debian
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
- CVE-2011-0447
* SECURITY UPDATE: multiple SQL injection vulnerabilities in the
quote_table_name method in the ActiveRecord adapters
- Add CVE-2011-2930.patch from Debian
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
- CVE-2011-2930
* SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
strip_tags helper
- Add CVE-2011-2931.patch from Debian
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
- CVE-2011-2931
* SECURITY UPDATE: cross-site scripting vulnerability which allows remote
attackers to inject arbitrary web script or HTML via a malformed Unicode string
- Add CVE-2011-2932.patch, backported from upstream
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
- CVE-2011-2932
* SECURITY UPDATE: response splitting vulnerability
- Add CVE-2011-3186.patch from Debian
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
- CVE-2011-3186
Checksums-Sha1:
f746235efc94e43dbbf4d3b0ead17bcff025b6aa 2410 rails_2.3.5-1.2ubuntu1.1.dsc
8922f52e7d2b12e9950aab2cb67563d8ea2a2128 25868 rails_2.3.5-1.2ubuntu1.1.debian.tar.gz
Checksums-Sha256:
1963f358d1df23617d8137929664a4a0c5038422eb19facf92d4f128634f7942 2410 rails_2.3.5-1.2ubuntu1.1.dsc
e576fa250ac709d8f5af42d8dd5fbb3d29c061cd731ccef99d4f52ff9323d923 25868 rails_2.3.5-1.2ubuntu1.1.debian.tar.gz
Files:
75acfa2cbf3fa975b809b80afe7606bf 2410 ruby optional rails_2.3.5-1.2ubuntu1.1.dsc
d0501e38ce5ed6ad4359b0794bdf5703 25868 ruby optional rails_2.3.5-1.2ubuntu1.1.debian.tar.gz
Original-Maintainer: Adam Majer <adamm at zombino.com>
More information about the Natty-changes
mailing list