El 04/02/16 a las 15:34, låzaro escribió:
Por favor, verifique la fuente:
La vulnerabilidad
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0751
AFECTA A DISPOSITIVOS CISCO
En cuanto a la 7576 está resvervada, por lo cual, no se identifica
como Rails
Rails usa CFSR token, y fue uno de los primeros framework en evitar
cross site scripting...
En [1] (Blog Oficial de Rails) está publicado claramente las
vulnerabilidades parcheadas en esta nueva versión.... para los que no
tienen salida al mar, aquí les va:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1, and
rails-html-sanitizer 1.0.3 have been released!
Posted by tenderlove, January 25, 2016 @ 7:52 pm in Releases
Hello everyone and happy Monday!
Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been released!
These contain the following important security fixes, and it is
recommended that users upgrade as soon as possible:
CVE-2015-7576 Timing attack vulnerability in basic authentication
in Action Controller.
CVE-2016-0751 Possible Object Leak and Denial of Service attack in
Action Pack
CVE-2015-7577 Nested attributes rejection proc bypass in Active Record.
CVE-2016-0752 Possible Information Leak Vulnerability in Action View
CVE-2016-0753 Possible Input Validation Circumvention in Active Model
CVE-2015-7581 Object leak vulnerability for wildcard controller
routes in Action Pack
For ease of upgrading, these Rails releases only contain patches
pertaining to the security fixes. The released versions can be found in
the usual locations, and you can find a list of changes on GitHub:
Changes in 5.0.0.beta1.1
Changes in 4.2.5.1
Changes in 4.1.14.1
Changes in 3.2.22.1
rails-html-sanitizer version 1.0.3 has been released, and it contains
the following important security fixes:
CVE-2015-7578 Possible XSS vulnerability in rails-html-sanitizer
CVE-2015-7579 XSS vulnerability in rails-html-sanitizer
CVE-2015-7580 Possible XSS vulnerability in rails-html-sanitizer
In Rails 4.2, the HTML sanitizer was inadvertently made much more
permissive than in 4.1.
In order to maintain our "secure by default" policy, rectifying this has
forced us to make a backwards-incompatible change to the sanitizer.
If you use the sanitizer in 4.2, you will need to verify that the more
restrictive filter still permits all the tags you need to allow. If it
doesn't, you can add additional tags to the whitelist.
We've done our best to minimize any impact to your applications, but if
you run in to any issues, please file a ticket and we'll do our best to
help!
Again, as always, if you run in to any bugs, please file them on the
Rails issue tracker which is located here. If you run in to security
issues, please follow the reporting process which can be found here.
Please have a happy Monday! <3<3<3
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1-
http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/
saludos,
--
Michael González Medina
Administrador de Red
Centro Nacional de Sanidad Vegetal
______________________________________________________________________
Lista de correos del Grupo de Usuarios de Tecnologías Libres de Cuba.
Gutl-l@jovenclub.cu
https://listas.jovenclub.cu/cgi-bin/mailman/listinfo/gutl-l
